OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________
________________
Server: cvs.openssl.org Name: Dr.
Stephen Henson
Root: /v/openssl/cvs Email: steve openssl.org
Module: openssl Date:
31-Aug-2007 14:42:54
Branch: HEAD Handle:
2007083113424607
Modified files:
openssl CHANGES
openssl/crypto/objects obj_dat.h obj_mac.h obj_mac.num
objects.txt
openssl/ssl d1_both.c d1_clnt.c d1_srvr.c
s3_both.c s3_clnt.c
s3_enc.c s3_lib.c s3_pkt.c
s3_srvr.c ssl.h ssl3.h
ssl_ciph.c ssl_err.c ssl_lib.c
ssl_locl.h t1_enc.c
tls1.h
openssl/util ssleay.num
Log:
Update ssl code to support digests other than MD5+SHA1
in handshake.
Submitted by: Victor B. Wagner <vituscryptocom.ru>
Summary:
Revision Changes Path
1.1391 +5 -0 openssl/CHANGES
1.103 +113 -111
openssl/crypto/objects/obj_dat.h
1.69 +4 -4
openssl/crypto/objects/obj_mac.h
1.59 +2 -0
openssl/crypto/objects/obj_mac.num
1.70 +2 -1
openssl/crypto/objects/objects.txt
1.9 +0 -2 openssl/ssl/d1_both.c
1.12 +4 -2 openssl/ssl/d1_clnt.c
1.13 +2 -2 openssl/ssl/d1_srvr.c
1.46 +9 -4 openssl/ssl/s3_both.c
1.111 +5 -2 openssl/ssl/s3_clnt.c
1.50 +89 -21 openssl/ssl/s3_enc.c
1.116 +124 -123 openssl/ssl/s3_lib.c
1.63 +0 -2 openssl/ssl/s3_pkt.c
1.155 +9 -2 openssl/ssl/s3_srvr.c
1.197 +6 -1 openssl/ssl/ssl.h
1.40 +5 -3 openssl/ssl/ssl3.h
1.75 +54 -13 openssl/ssl/ssl_ciph.c
1.65 +6 -0 openssl/ssl/ssl_err.c
1.160 +2 -2 openssl/ssl/ssl_lib.c
1.85 +32 -9 openssl/ssl/ssl_locl.h
1.45 +67 -30 openssl/ssl/t1_enc.c
1.36 +1 -0 openssl/ssl/tls1.h
1.51 +13 -13 openssl/util/ssleay.num
____________________________________________________________
________________
patch -p0 <<' .'
Index: openssl/CHANGES
============================================================
================
$ cvs diff -u -r1.1390 -r1.1391 CHANGES
--- openssl/CHANGES 27 Aug 2007 23:41:36 -0000 1.1390
+++ openssl/CHANGES 31 Aug 2007 12:42:46 -0000 1.1391
-4,6 +4,11
Changes between 0.9.8f and 0.9.9 [xx XXX xxxx]
+ *) Update ssl code to support digests other than
SHA1+MD5 for handshake
+ MAC.
+
+ [Victor B. Wagner <vituscryptocom.ru>]
+
*) Add RFC4507 support to OpenSSL. This includes the
corrections in
RFC4507bis. The encrypted ticket format is an
encrypted encoded
SSL_SESSION structure, that way new session features
are automatically
.
patch -p0 <<' .'
Index: openssl/crypto/objects/obj_dat.h
============================================================
================
$ cvs diff -u -r1.102 -r1.103 obj_dat.h
--- openssl/crypto/objects/obj_dat.h 23 Apr 2007 23:48:35
-0000 1.102
+++ openssl/crypto/objects/obj_dat.h 31 Aug 2007 12:42:48
-0000 1.103
-62,7 +62,7
* [including the GNU Public Licence.]
*/
-#define NUM_NID 842
+#define NUM_NID 844
#define NUM_SN 838
#define NUM_LN 838
#define NUM_OBJ 792
-807,59 +807,59
0x2A,0x85,0x03,0x02,0x02,0x13, /* [5195]
OBJ_id_GostR3410_2001 */
0x2A,0x85,0x03,0x02,0x02,0x14, /* [5201]
OBJ_id_GostR3410_94 */
0x2A,0x85,0x03,0x02,0x02,0x15, /* [5207]
OBJ_id_Gost28147_89 */
-0x2A,0x85,0x03,0x02,0x02,0x16, /* [5213]
OBJ_id_Gost28147_89_MAC */
-0x2A,0x85,0x03,0x02,0x02,0x17, /* [5219]
OBJ_id_GostR3411_94_prf */
-0x2A,0x85,0x03,0x02,0x02,0x62, /* [5225]
OBJ_id_GostR3410_2001DH */
-0x2A,0x85,0x03,0x02,0x02,0x63, /* [5231]
OBJ_id_GostR3410_94DH */
-0x2A,0x85,0x03,0x02,0x02,0x0E,0x01, /* [5237]
OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
-0x2A,0x85,0x03,0x02,0x02,0x0E,0x00, /* [5244]
OBJ_id_Gost28147_89_None_KeyMeshing */
-0x2A,0x85,0x03,0x02,0x02,0x1E,0x00, /* [5251]
OBJ_id_GostR3411_94_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1E,0x01, /* [5258]
OBJ_id_GostR3411_94_CryptoProParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x00, /* [5265]
OBJ_id_Gost28147_89_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x01, /* [5272]
OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x02, /* [5279]
OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x03, /* [5286]
OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x04, /* [5293]
OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x05, /* [5300]
OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x06, /* [5307]
OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x1F,0x07, /* [5314]
OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x00, /* [5321]
OBJ_id_GostR3410_94_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x02, /* [5328]
OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x03, /* [5335]
OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x04, /* [5342]
OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x20,0x05, /* [5349]
OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x01, /* [5356]
OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x02, /* [5363]
OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x21,0x03, /* [5370]
OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x00, /* [5377]
OBJ_id_GostR3410_2001_TestParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x01, /* [5384]
OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x02, /* [5391]
OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x23,0x03, /* [5398]
OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x24,0x00, /* [5405]
OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x24,0x01, /* [5412]
OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x01, /* [5419]
OBJ_id_GostR3410_94_a */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x02, /* [5426]
OBJ_id_GostR3410_94_aBis */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x03, /* [5433]
OBJ_id_GostR3410_94_b */
-0x2A,0x85,0x03,0x02,0x02,0x14,0x04, /* [5440]
OBJ_id_GostR3410_94_bBis */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01, /* [5447]
OBJ_id_Gost28147_89_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03, /* [5455]
OBJ_id_GostR3410_94_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04, /* [5463]
OBJ_id_GostR3410_2001_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03, /* [5471]
OBJ_id_GostR3411_94_with_GostR3410_94_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04, /* [5479]
OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
-0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01, /* [5487]
OBJ_id_GostR3410_2001_ParamSet_cc */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02, /* [5495]
OBJ_ecdsa_with_Recommended */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03, /* [5502]
OBJ_ecdsa_with_Specified */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01, /* [5509]
OBJ_ecdsa_with_SHA224 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02, /* [5517]
OBJ_ecdsa_with_SHA256 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03, /* [5525]
OBJ_ecdsa_with_SHA384 */
-0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04, /* [5533]
OBJ_ecdsa_with_SHA512 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5541]
OBJ_dsa_with_SHA224 */
-0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5550]
OBJ_dsa_with_SHA256 */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44, /* [5559]
OBJ_kisa */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03, /* [5565]
OBJ_seed_ecb */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04, /* [5573]
OBJ_seed_cbc */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05, /* [5581]
OBJ_seed_cfb128 */
-0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06, /* [5589]
OBJ_seed_ofb128 */
+0x2A,0x85,0x03,0x02,0x02,0x17, /* [5213]
OBJ_id_GostR3411_94_prf */
+0x2A,0x85,0x03,0x02,0x02,0x62, /* [5219]
OBJ_id_GostR3410_2001DH */
+0x2A,0x85,0x03,0x02,0x02,0x63, /* [5225]
OBJ_id_GostR3410_94DH */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x01, /* [5231]
OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x00, /* [5238]
OBJ_id_Gost28147_89_None_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x00, /* [5245]
OBJ_id_GostR3411_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x01, /* [5252]
OBJ_id_GostR3411_94_CryptoProParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x00, /* [5259]
OBJ_id_Gost28147_89_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x01, /* [5266]
OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x02, /* [5273]
OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x03, /* [5280]
OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x04, /* [5287]
OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x05, /* [5294]
OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x06, /* [5301]
OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x07, /* [5308]
OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x00, /* [5315]
OBJ_id_GostR3410_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x02, /* [5322]
OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x03, /* [5329]
OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x04, /* [5336]
OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x05, /* [5343]
OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x01, /* [5350]
OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x02, /* [5357]
OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x03, /* [5364]
OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x00, /* [5371]
OBJ_id_GostR3410_2001_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x01, /* [5378]
OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x02, /* [5385]
OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x03, /* [5392]
OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x00, /* [5399]
OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x01, /* [5406]
OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x01, /* [5413]
OBJ_id_GostR3410_94_a */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x02, /* [5420]
OBJ_id_GostR3410_94_aBis */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x03, /* [5427]
OBJ_id_GostR3410_94_b */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x04, /* [5434]
OBJ_id_GostR3410_94_bBis */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01, /* [5441]
OBJ_id_Gost28147_89_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03, /* [5449]
OBJ_id_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04, /* [5457]
OBJ_id_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03, /* [5465]
OBJ_id_GostR3411_94_with_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04, /* [5473]
OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01, /* [5481]
OBJ_id_GostR3410_2001_ParamSet_cc */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02, /* [5489]
OBJ_ecdsa_with_Recommended */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03, /* [5496]
OBJ_ecdsa_with_Specified */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01, /* [5503]
OBJ_ecdsa_with_SHA224 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02, /* [5511]
OBJ_ecdsa_with_SHA256 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03, /* [5519]
OBJ_ecdsa_with_SHA384 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04, /* [5527]
OBJ_ecdsa_with_SHA512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5535]
OBJ_dsa_with_SHA224 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5544]
OBJ_dsa_with_SHA256 */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44, /* [5553]
OBJ_kisa */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03, /* [5559]
OBJ_seed_ecb */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04, /* [5567]
OBJ_seed_cbc */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05, /* [5575]
OBJ_seed_cfb128 */
+0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06, /* [5583]
OBJ_seed_ofb128 */
+0x2A,0x85,0x03,0x02,0x02,0x16, /* [5591]
OBJ_id_Gost28147_89_MAC */
};
static ASN1_OBJECT nid_objs[NUM_NID]={
-2089,137 +2089,139
&(lvalues[5195]),0},
{"gost94","GOST R
34.10-94",NID_id_GostR3410_94,6,&(lvalues[5201]),0}
,
{"gost89","GOST
28147-89",NID_id_Gost28147_89,6,&(lvalues[5207]),0}
,
-{"id-Gost28147-89-MAC","GOST 28147-89
MAC",NID_id_Gost28147_89_MAC,6,
- &(lvalues[5213]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
{"prf-gostr3411-94","GOST R 34.11-94
PRF",NID_id_GostR3411_94_prf,6,
- &(lvalues[5219]),0},
+ &(lvalues[5213]),0},
{"id-GostR3410-2001DH","GOST R 34.10-2001
DH",NID_id_GostR3410_2001DH,
- 6,&(lvalues[5225]),0},
+ 6,&(lvalues[5219]),0},
{"id-GostR3410-94DH","GOST R 34.10-94
DH",NID_id_GostR3410_94DH,6,
- &(lvalues[5231]),0},
+ &(lvalues[5225]),0},
{"id-Gost28147-89-CryptoPro-KeyMeshing",
"id-Gost28147-89-CryptoPro-KeyMeshing",
- NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5
237]),0},
+ NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5
231]),0},
{"id-Gost28147-89-None-KeyMeshing","id-Gost28
147-89-None-KeyMeshing",
- NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5244])
,0},
+ NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5238])
,0},
{"id-GostR3411-94-TestParamSet","id-GostR3411
-94-TestParamSet",
- NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5251]),0}
,
+ NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5245]),0}
,
{"id-GostR3411-94-CryptoProParamSet",
"id-GostR3411-94-CryptoProParamSet",
- NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5258
]),0},
+ NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5252
]),0},
{"id-Gost28147-89-TestParamSet","id-Gost28147
-89-TestParamSet",
- NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5265]),0}
,
+ NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5259]),0}
,
{"id-Gost28147-89-CryptoPro-A-ParamSet",
"id-Gost28147-89-CryptoPro-A-ParamSet",
- NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5
272]),0},
+ NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5
266]),0},
{"id-Gost28147-89-CryptoPro-B-ParamSet",
"id-Gost28147-89-CryptoPro-B-ParamSet",
- NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5
279]),0},
+ NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5
273]),0},
{"id-Gost28147-89-CryptoPro-C-ParamSet",
"id-Gost28147-89-CryptoPro-C-ParamSet",
- NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5
286]),0},
+ NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5
280]),0},
{"id-Gost28147-89-CryptoPro-D-ParamSet",
"id-Gost28147-89-CryptoPro-D-ParamSet",
- NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5
293]),0},
+ NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5
287]),0},
{"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
- NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(l
values[5300]),
+ NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(l
values[5294]),
0},
{"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
- NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(l
values[5307]),
+ NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(l
values[5301]),
0},
{"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
- NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalu
es[5314]),0},
+ NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalu
es[5308]),0},
{"id-GostR3410-94-TestParamSet","id-GostR3410
-94-TestParamSet",
- NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5321]),0}
,
+ NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5315]),0}
,
{"id-GostR3410-94-CryptoPro-A-ParamSet",
"id-GostR3410-94-CryptoPro-A-ParamSet",
- NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5
328]),0},
+ NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5
322]),0},
{"id-GostR3410-94-CryptoPro-B-ParamSet",
"id-GostR3410-94-CryptoPro-B-ParamSet",
- NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5
335]),0},
+ NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5
329]),0},
{"id-GostR3410-94-CryptoPro-C-ParamSet",
"id-GostR3410-94-CryptoPro-C-ParamSet",
- NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5
342]),0},
+ NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5
336]),0},
{"id-GostR3410-94-CryptoPro-D-ParamSet",
"id-GostR3410-94-CryptoPro-D-ParamSet",
- NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5
349]),0},
+ NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5
343]),0},
{"id-GostR3410-94-CryptoPro-XchA-ParamSet",
"id-GostR3410-94-CryptoPro-XchA-ParamSet",
- NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalue
s[5356]),0},
+ NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalue
s[5350]),0},
{"id-GostR3410-94-CryptoPro-XchB-ParamSet",
"id-GostR3410-94-CryptoPro-XchB-ParamSet",
- NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalue
s[5363]),0},
+ NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalue
s[5357]),0},
{"id-GostR3410-94-CryptoPro-XchC-ParamSet",
"id-GostR3410-94-CryptoPro-XchC-ParamSet",
- NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalue
s[5370]),0},
+ NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalue
s[5364]),0},
{"id-GostR3410-2001-TestParamSet","id-GostR34
10-2001-TestParamSet",
- NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5377]),
0},
+ NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5371]),
0},
{"id-GostR3410-2001-CryptoPro-A-ParamSet",
"id-GostR3410-2001-CryptoPro-A-ParamSet",
- NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues
[5384]),0},
+ NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues
[5378]),0},
{"id-GostR3410-2001-CryptoPro-B-ParamSet",
"id-GostR3410-2001-CryptoPro-B-ParamSet",
- NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues
[5391]),0},
+ NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues
[5385]),0},
{"id-GostR3410-2001-CryptoPro-C-ParamSet",
"id-GostR3410-2001-CryptoPro-C-ParamSet",
- NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues
[5398]),0},
+ NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues
[5392]),0},
{"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
- NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lval
ues[5405]),0},
+ NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lval
ues[5399]),0},
{"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
- NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lval
ues[5412]),0},
+ NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lval
ues[5406]),0},
{"id-GostR3410-94-a","id-GostR3410-94-a"
,NID_id_GostR3410_94_a,7,
- &(lvalues[5419]),0},
+ &(lvalues[5413]),0},
{"id-GostR3410-94-aBis","id-GostR3410-94-aBis
",
- NID_id_GostR3410_94_aBis,7,&(lvalues[5426]),0},
+ NID_id_GostR3410_94_aBis,7,&(lvalues[5420]),0},
{"id-GostR3410-94-b","id-GostR3410-94-b"
,NID_id_GostR3410_94_b,7,
- &(lvalues[5433]),0},
+ &(lvalues[5427]),0},
{"id-GostR3410-94-bBis","id-GostR3410-94-bBis
",
- NID_id_GostR3410_94_bBis,7,&(lvalues[5440]),0},
+ NID_id_GostR3410_94_bBis,7,&(lvalues[5434]),0},
{"id-Gost28147-89-cc","GOST 28147-89
Cryptocom ParamSet",
- NID_id_Gost28147_89_cc,8,&(lvalues[5447]),0},
+ NID_id_Gost28147_89_cc,8,&(lvalues[5441]),0},
{"gost94cc","GOST 34.10-94
Cryptocom",NID_id_GostR3410_94_cc,8,
- &(lvalues[5455]),0},
+ &(lvalues[5449]),0},
{"gost2001cc","GOST 34.10-2001
Cryptocom",NID_id_GostR3410_2001_cc,8,
- &(lvalues[5463]),0},
+ &(lvalues[5457]),0},
{"id-GostR3411-94-with-GostR3410-94-cc",
"GOST R 34.11-94 with GOST R 34.10-94
Cryptocom",
- NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5
471]),0},
+ NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5
465]),0},
{"id-GostR3411-94-with-GostR3410-2001-cc",
"GOST R 34.11-94 with GOST R 34.10-2001
Cryptocom",
- NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues
[5479]),0},
+ NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues
[5473]),0},
{"id-GostR3410-2001-ParamSet-cc",
"GOST R 3410-2001 Parameter Set Cryptocom",
- NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5487]),0
},
+ NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5481]),0
},
{"ecdsa-with-Recommended","ecdsa-with-Recomme
nded",
- NID_ecdsa_with_Recommended,7,&(lvalues[5495]),0},
+ NID_ecdsa_with_Recommended,7,&(lvalues[5489]),0},
{"ecdsa-with-Specified","ecdsa-with-Specified
",
- NID_ecdsa_with_Specified,7,&(lvalues[5502]),0},
+ NID_ecdsa_with_Specified,7,&(lvalues[5496]),0},
{"ecdsa-with-SHA224","ecdsa-with-SHA224"
,NID_ecdsa_with_SHA224,8,
- &(lvalues[5509]),0},
+ &(lvalues[5503]),0},
{"ecdsa-with-SHA256","ecdsa-with-SHA256"
,NID_ecdsa_with_SHA256,8,
- &(lvalues[5517]),0},
+ &(lvalues[5511]),0},
{"ecdsa-with-SHA384","ecdsa-with-SHA384"
,NID_ecdsa_with_SHA384,8,
- &(lvalues[5525]),0},
+ &(lvalues[5519]),0},
{"ecdsa-with-SHA512","ecdsa-with-SHA512"
,NID_ecdsa_with_SHA512,8,
- &(lvalues[5533]),0},
+ &(lvalues[5527]),0},
{"dsa_with_SHA224","dsa_with_SHA224",NID
_dsa_with_SHA224,9,
- &(lvalues[5541]),0},
+ &(lvalues[5535]),0},
{"dsa_with_SHA256","dsa_with_SHA256",NID
_dsa_with_SHA256,9,
- &(lvalues[5550]),0},
+ &(lvalues[5544]),0},
{"gost89-cnt","gost89-cnt",NID_gost89_cn
t,0,NULL,0},
{"HMAC","hmac",NID_hmac,0,NULL,0},
-{"KISA","kisa",NID_kisa,6,&(lvalues
[5559]),0},
-{"SEED-ECB","seed-ecb",NID_seed_ecb,8,&
amp;(lvalues[5565]),0},
-{"SEED-CBC","seed-cbc",NID_seed_cbc,8,&
amp;(lvalues[5573]),0},
-{"SEED-CFB","seed-cfb",NID_seed_cfb128,
8,&(lvalues[5581]),0},
-{"SEED-OFB","seed-ofb",NID_seed_ofb128,
8,&(lvalues[5589]),0},
+{"KISA","kisa",NID_kisa,6,&(lvalues
[5553]),0},
+{"SEED-ECB","seed-ecb",NID_seed_ecb,8,&
amp;(lvalues[5559]),0},
+{"SEED-CBC","seed-cbc",NID_seed_cbc,8,&
amp;(lvalues[5567]),0},
+{"SEED-CFB","seed-cfb",NID_seed_cfb128,
8,&(lvalues[5575]),0},
+{"SEED-OFB","seed-ofb",NID_seed_ofb128,
8,&(lvalues[5583]),0},
+{NULL,NULL,NID_undef,0,NULL,0},
+{"gost-mac","GOST 28147-89
MAC",NID_id_Gost28147_89_MAC,6,
+ &(lvalues[5591]),0},
};
static ASN1_OBJECT *sn_objs[NUM_SN]={
-2498,6 +2500,7
&(nid_objs[490]),/* "friendlyCountryName"
*/
&(nid_objs[156]),/* "friendlyName" */
&(nid_objs[509]),/* "generationQualifier"
*/
+&(nid_objs[843]),/* "gost-mac" */
&(nid_objs[784]),/* "gost2001" */
&(nid_objs[823]),/* "gost2001cc" */
&(nid_objs[786]),/* "gost89" */
-2526,7 +2529,6
&(nid_objs[801]),/*
"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
&(nid_objs[800]),/*
"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
&(nid_objs[802]),/*
"id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
-&(nid_objs[787]),/* "id-Gost28147-89-MAC"
*/
&(nid_objs[792]),/*
"id-Gost28147-89-None-KeyMeshing" */
&(nid_objs[795]),/*
"id-Gost28147-89-TestParamSet" */
&(nid_objs[821]),/* "id-Gost28147-89-cc"
*/
-3082,7 +3084,7
&(nid_objs[172]),/* "Extension Request" */
&(nid_objs[786]),/* "GOST 28147-89" */
&(nid_objs[821]),/* "GOST 28147-89 Cryptocom
ParamSet" */
-&(nid_objs[787]),/* "GOST 28147-89 MAC" */
+&(nid_objs[843]),/* "GOST 28147-89 MAC" */
&(nid_objs[823]),/* "GOST 34.10-2001
Cryptocom" */
&(nid_objs[822]),/* "GOST 34.10-94
Cryptocom" */
&(nid_objs[784]),/* "GOST R 34.10-2001" */
-4186,7 +4188,7
&(nid_objs[784]),/* OBJ_id_GostR3410_2001
1 2 643 2 2 19 */
&(nid_objs[785]),/* OBJ_id_GostR3410_94
1 2 643 2 2 20 */
&(nid_objs[786]),/* OBJ_id_Gost28147_89
1 2 643 2 2 21 */
-&(nid_objs[787]),/* OBJ_id_Gost28147_89_MAC
1 2 643 2 2 22 */
+&(nid_objs[843]),/* OBJ_id_Gost28147_89_MAC
1 2 643 2 2 22 */
&(nid_objs[788]),/* OBJ_id_GostR3411_94_prf
1 2 643 2 2 23 */
&(nid_objs[789]),/* OBJ_id_GostR3410_2001DH
1 2 643 2 2 98 */
&(nid_objs[790]),/* OBJ_id_GostR3410_94DH
1 2 643 2 2 99 */
.
patch -p0 <<' .'
Index: openssl/crypto/objects/obj_mac.h
============================================================
================
$ cvs diff -u -r1.68 -r1.69 obj_mac.h
--- openssl/crypto/objects/obj_mac.h 23 Apr 2007 23:48:36
-0000 1.68
+++ openssl/crypto/objects/obj_mac.h 31 Aug 2007 12:42:48
-0000 1.69
-3422,10 +3422,10
#define SN_gost89_cnt "gost89-cnt"
#define NID_gost89_cnt 835
-#define
SN_id_Gost28147_89_MAC "id-Gost28147-89-MAC"
-#define LN_id_Gost28147_89_MAC "GOST 28147-89
MAC"
-#define NID_id_Gost28147_89_MAC 787
-#define OBJ_id_Gost28147_89_MAC OBJ_cryptopro,22L
+#define SN_id_Gost28147_89_MAC "gost-mac"
+#define LN_id_Gost28147_89_MAC "GOST 28147-89
MAC"
+#define NID_id_Gost28147_89_MAC 843
+#define OBJ_id_Gost28147_89_MAC OBJ_cryptopro,22L
#define
SN_id_GostR3411_94_prf "prf-gostr3411-94"
#define LN_id_GostR3411_94_prf "GOST R 34.11-94
PRF"
.
patch -p0 <<' .'
Index: openssl/crypto/objects/obj_mac.num
============================================================
================
$ cvs diff -u -r1.58 -r1.59 obj_mac.num
--- openssl/crypto/objects/obj_mac.num 23 Apr 2007
23:48:37 -0000 1.58
+++ openssl/crypto/objects/obj_mac.num 31 Aug 2007
12:42:49 -0000 1.59
-839,3 +839,5
seed_cbc 839
seed_cfb128 840
seed_ofb128 841
+id_Gost28147_89_MAC 842
+id_Gost28147_89_MAC 843
.
patch -p0 <<' .'
Index: openssl/crypto/objects/objects.txt
============================================================
================
$ cvs diff -u -r1.69 -r1.70 objects.txt
--- openssl/crypto/objects/objects.txt 23 Apr 2007
23:48:37 -0000 1.69
+++ openssl/crypto/objects/objects.txt 31 Aug 2007
12:42:49 -0000 1.70
-1092,7 +1092,8
!Cname id-Gost28147-89
cryptopro 21 : gost89 : GOST 28147-89
: gost89-cnt
-cryptopro 22 : id-Gost28147-89-MAC : GOST 28147-89 MAC
+!Cname id-Gost28147-89-MAC
+cryptopro 22 : gost-mac : GOST 28147-89 MAC
!Cname id-GostR3411-94-prf
cryptopro 23 : prf-gostr3411-94 : GOST R 34.11-94 PRF
cryptopro 98 : id-GostR3410-2001DH : GOST R 34.10-2001
DH
.
patch -p0 <<' .'
Index: openssl/ssl/d1_both.c
============================================================
================
$ cvs diff -u -r1.8 -r1.9 d1_both.c
--- openssl/ssl/d1_both.c 12 Aug 2007 17:44:32 -0000 1.8
+++ openssl/ssl/d1_both.c 31 Aug 2007 12:42:50 -0000 1.9
-768,8 +768,6
p= &(d[DTLS1_HM_HEADER_LENGTH]);
i=s->method->ssl3_enc->final_finish_mac(s,
- &(s->s3->finish_dgst1),
- &(s->s3->finish_dgst2),
sender,slen,s->s3->tmp.finish_md);
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
.
patch -p0 <<' .'
Index: openssl/ssl/d1_clnt.c
============================================================
================
$ cvs diff -u -r1.11 -r1.12 d1_clnt.c
--- openssl/ssl/d1_clnt.c 19 Feb 2007 14:53:17 -0000 1.11
+++ openssl/ssl/d1_clnt.c 31 Aug 2007 12:42:50 -0000 1.12
-998,14 +998,16
p= &(d[DTLS1_HM_HEADER_LENGTH]);
pkey=s->cert->key->privatekey;
- s->method->ssl3_enc->cert_verify_mac(s,&(s-&
gt;s3->finish_dgst2),
+ s->method->ssl3_enc->cert_verify_mac(s,
+ NID_sha1,
&(data[MD5_DIGEST_LENGTH]));
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst1),&(data[0]));
+ NID_md5,
+ &(data[0]));
if (RSA_sign(NID_md5_sha1, data,
MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
&(p[2]), &u, pkey->pkey.rsa) <= 0 )
.
patch -p0 <<' .'
Index: openssl/ssl/d1_srvr.c
============================================================
================
$ cvs diff -u -r1.12 -r1.13 d1_srvr.c
--- openssl/ssl/d1_srvr.c 19 Feb 2007 14:53:17 -0000 1.12
+++ openssl/ssl/d1_srvr.c 31 Aug 2007 12:42:50 -0000 1.13
-446,10 +446,10
/* We need to get hashes here so if there is
* a client cert, it can be verified */
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst1),
+ NID_md5,
&(s->s3->tmp.cert_verify_md[0]));
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst2),
+ NID_sha1,
&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]
));
break;
.
patch -p0 <<' .'
Index: openssl/ssl/s3_both.c
============================================================
================
$ cvs diff -u -r1.45 -r1.46 s3_both.c
--- openssl/ssl/s3_both.c 20 Oct 2006 11:26:00 -0000 1.45
+++ openssl/ssl/s3_both.c 31 Aug 2007 12:42:50 -0000 1.46
-160,8 +160,6
p= &(d[4]);
i=s->method->ssl3_enc->final_finish_mac(s,
- &(s->s3->finish_dgst1),
- &(s->s3->finish_dgst2),
sender,slen,s->s3->tmp.finish_md);
s->s3->tmp.finish_md_len = i;
memcpy(p, s->s3->tmp.finish_md, i);
-518,9 +516,16
else if (i == EVP_PKEY_EC)
{
ret = SSL_PKEY_ECC;
- }
+ }
#endif
-
+ else if (i == NID_id_GostR3410_94 || i ==
NID_id_GostR3410_94_cc)
+ {
+ ret = SSL_PKEY_GOST94;
+ }
+ else if (i == NID_id_GostR3410_2001 || i ==
NID_id_GostR3410_2001_cc)
+ {
+ ret = SSL_PKEY_GOST01;
+ }
err:
if(!pkey) EVP_PKEY_free(pk);
return(ret);
.
patch -p0 <<' .'
Index: openssl/ssl/s3_clnt.c
============================================================
================
$ cvs diff -u -r1.110 -r1.111 s3_clnt.c
--- openssl/ssl/s3_clnt.c 31 Aug 2007 00:28:01
-0000 1.110
+++ openssl/ssl/s3_clnt.c 31 Aug 2007 12:42:50
-0000 1.111
-824,6 +824,7
}
}
s->s3->tmp.new_cipher=c;
+ ssl3_digest_cached_records(s);
/* lets get the compression algorithm */
/* COMPRESSION */
-2415,14 +2416,16
p= &(d[4]);
pkey=s->cert->key->privatekey;
- s->method->ssl3_enc->cert_verify_mac(s,&(s-&
gt;s3->finish_dgst2),
+ s->method->ssl3_enc->cert_verify_mac(s,
+ NID_sha1,
&(data[MD5_DIGEST_LENGTH]));
#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst1),&(data[0]));
+ NID_md5,
+ &(data[0]));
if (RSA_sign(NID_md5_sha1, data,
MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
&(p[2]), &u, pkey->pkey.rsa) <= 0 )
.
patch -p0 <<' .'
Index: openssl/ssl/s3_enc.c
============================================================
================
$ cvs diff -u -r1.49 -r1.50 s3_enc.c
--- openssl/ssl/s3_enc.c 4 Jun 2007 17:04:34 -0000 1.49
+++ openssl/ssl/s3_enc.c 31 Aug 2007 12:42:50 -0000 1.50
-155,10 +155,8
0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
-
-static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX
*in_ctx,
+static int ssl3_handshake_mac(SSL *s, int md_nid,
const char *sender, int len, unsigned char *p);
-
static int ssl3_generate_key_block(SSL *s, unsigned char
*km, int num)
{
EVP_MD_CTX m5;
-545,46 +543,116
void ssl3_init_finished_mac(SSL *s)
{
- EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->c
tx->md5, NULL);
- EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->c
tx->sha1, NULL);
+ if (s->s3->handshake_buffer)
BIO_free(s->s3->handshake_buffer);
+ if (s->s3->handshake_dgst)
ssl3_free_digest_list(s);
+ s->s3->handshake_buffer=BIO_new(BIO_s_mem());
+ BIO_set_close(s->s3->handshake_buffer,BIO_CLOSE);
}
+void ssl3_free_digest_list(SSL *s)
+ {
+ int i;
+ if (!s->s3->handshake_dgst) return;
+ for (i=0;i<SSL_MAX_DIGEST;i++)
+ {
+ if (s->s3->handshake_dgst[i])
+ EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
+ }
+ OPENSSL_free(s->s3->handshake_dgst);
+ s->s3->handshake_dgst=NULL;
+ }
+
+
+
void ssl3_finish_mac(SSL *s, const unsigned char *buf,
int len)
{
- EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len)
;
- EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len)
;
- }
+ if (s->s3->handshake_buffer)
+ {
+ BIO_write (s->s3->handshake_buffer,(void
*)buf,len);
+ }
+ else
+ {
+ int i;
+ for (i=0;i< SSL_MAX_DIGEST;i++)
+ {
+ if (s->s3->handshake_dgst[i]!= NULL)
+ EVP_DigestUpdate(s->s3->handshake_dgst[i],buf,len)
;
+ }
+ }
+ }
+void ssl3_digest_cached_records(SSL *s)
+ {
+ int i;
+ long mask;
+ const EVP_MD *md;
+ long hdatalen;
+ void *hdata;
+ /* Allocate handshake_dgst array */
+ ssl3_free_digest_list(s);
+ s->s3->handshake_dgst =
OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+ memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST
*sizeof(EVP_MD_CTX *));
+ hdatalen =
BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
+ /* Loop through bitso of algorithm2 field and create
MD_CTX-es */
+ for (i=0;ssl_get_handshake_digest(i,&mask,&md);
i++)
+ {
+ if ((mask &
s->s3->tmp.new_cipher->algorithm2) && md)
+ {
+ s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
+ EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NU
LL);
+ EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,
hdatalen);
+ }
+ else
+ {
+ s->s3->handshake_dgst[i]=NULL;
+ }
+ }
+ /* Free handshake_buffer BIO */
+ BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
-int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx,
unsigned char *p)
+ }
+int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned
char *p)
{
- return(ssl3_handshake_mac(s,ctx,NULL,0,p));
+ return(ssl3_handshake_mac(s,md_nid,NULL,0,p));
}
-
-int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,
EVP_MD_CTX *ctx2,
+int ssl3_final_finish_mac(SSL *s,
const char *sender, int len, unsigned char *p)
{
int ret;
-
- ret=ssl3_handshake_mac(s,ctx1,sender,len,p);
+ ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
p+=ret;
- ret+=ssl3_handshake_mac(s,ctx2,sender,len,p);
+ ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
return(ret);
}
-
-static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX
*in_ctx,
+static int ssl3_handshake_mac(SSL *s, int md_nid,
const char *sender, int len, unsigned char *p)
{
unsigned int ret;
int npad,n;
unsigned int i;
unsigned char md_buf[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
-
+ EVP_MD_CTX ctx,*d=NULL;
+ if (s->s3->handshake_buffer)
+ ssl3_digest_cached_records(s);
+
+ /* Search for djgest of specified type in the
handshake_dgst
+ * array*/
+ for (i=0;i<SSL_MAX_DIGEST;i++)
+ {
+ if
(s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s-&
gt;s3->handshake_dgst[i])==md_nid)
+ {
+ d=s->s3->handshake_dgst[i];
+ break;
+ }
+ }
+ if (!d) {
+ SSLerr(SSL_F_SSL3_HANDSHAKE_MAC,SSL_R_NO_REQUIRED_DIGEST)
;
+ return 0;
+ }
EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_copy_ex(&ctx,in_ctx);
+ EVP_MD_CTX_copy_ex(&ctx,d);
n=EVP_MD_CTX_size(&ctx);
npad=(48/n)*n;
-
if (sender != NULL)
EVP_DigestUpdate(&ctx,sender,len);
EVP_DigestUpdate(&ctx,s->session->master_key,
.
patch -p0 <<' .'
Index: openssl/ssl/s3_lib.c
============================================================
================
$ cvs diff -u -r1.115 -r1.116 s3_lib.c
--- openssl/ssl/s3_lib.c 28 Aug 2007 01:08:43 -0000 1.115
+++ openssl/ssl/s3_lib.c 31 Aug 2007 12:42:50 -0000 1.116
-181,7 +181,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-197,7 +197,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-213,7 +213,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-229,7 +229,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-245,7 +245,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-261,7 +261,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-278,7 +278,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-295,7 +295,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-311,7 +311,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-327,7 +327,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-344,7 +344,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-360,7 +360,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-376,7 +376,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-392,7 +392,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-408,7 +408,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-424,7 +424,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-441,7 +441,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-457,7 +457,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-473,7 +473,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-489,7 +489,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-505,7 +505,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-521,7 +521,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-537,7 +537,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-553,7 +553,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-569,7 +569,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-585,7 +585,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-601,7 +601,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-619,7 +619,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-635,7 +635,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-651,7 +651,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-670,7 +670,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-686,7 +686,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-702,7 +702,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-718,7 +718,7
SSL_SHA1,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-734,7 +734,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-750,7 +750,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-766,7 +766,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-782,7 +782,7
SSL_MD5,
SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-798,7 +798,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-814,7 +814,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-830,7 +830,7
SSL_SHA1,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-846,7 +846,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
56,
},
-862,7 +862,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-878,7 +878,7
SSL_MD5,
SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
40,
128,
},
-896,7 +896,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-911,7 +911,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-926,7 +926,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-941,7 +941,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-956,7 +956,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-971,7 +971,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-987,7 +987,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1002,7 +1002,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1018,7 +1018,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1034,7 +1034,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1050,7 +1050,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1066,7 +1066,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1085,7 +1085,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1101,7 +1101,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1117,7 +1117,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1133,7 +1133,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1149,7 +1149,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1165,7 +1165,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1185,7 +1185,7
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
128,
},
-1201,7 +1201,7
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
128,
},
-1218,7 +1218,7
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-1234,7 +1234,7
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
56,
},
-1250,7 +1250,7
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
128,
},
-1266,7 +1266,7
SSL_SHA1,
SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
56,
128,
},
-1282,7 +1282,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1302,7 +1302,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1317,7 +1317,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1333,7 +1333,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1349,7 +1349,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1365,7 +1365,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1381,7 +1381,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1399,7 +1399,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1415,7 +1415,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1431,7 +1431,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1447,7 +1447,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1467,7 +1467,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1483,7 +1483,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1499,7 +1499,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1515,7 +1515,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1531,7 +1531,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1547,7 +1547,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1566,7 +1566,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-1582,7 +1582,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1598,7 +1598,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1614,7 +1614,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1630,7 +1630,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1646,7 +1646,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-1662,7 +1662,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1678,7 +1678,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1694,7 +1694,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1710,7 +1710,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1726,7 +1726,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-1742,7 +1742,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1758,7 +1758,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1774,7 +1774,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1790,7 +1790,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1806,7 +1806,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-1822,7 +1822,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1838,7 +1838,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1854,7 +1854,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1870,7 +1870,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1886,7 +1886,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_STRONG_NONE,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
0,
0,
},
-1902,7 +1902,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_MEDIUM,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1918,7 +1918,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
},
-1934,7 +1934,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
},
-1950,7 +1950,7
SSL_SHA1,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1968,7 +1968,7
SSL_MD5,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
},
-1982,7 +1982,7
SSL_GOST94,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256
},
-1996,7 +1996,7
SSL_GOST89MAC,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- 0,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256
},
-2010,7 +2010,7
SSL_GOST89MAC,
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
- TLS1_STREAM_MAC,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|TLS1_STREAM_MAC,
256,
256
},
-2067,8 +2067,6
if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
memset(s3,0,sizeof *s3);
- EVP_MD_CTX_init(&s3->finish_dgst1);
- EVP_MD_CTX_init(&s3->finish_dgst2);
memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num));
memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num));
-2103,9 +2101,10
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_
free);
- EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
- EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-
+ if (s->s3->handshake_buffer) {
+ BIO_free(s->s3->handshake_buffer);
+ }
+ if (s->s3->handshake_dgst)
ssl3_free_digest_list(s);
OPENSSL_cleanse(s->s3,sizeof *s->s3);
OPENSSL_free(s->s3);
s->s3=NULL;
-2138,10 +2137,12
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
wlen = s->s3->wbuf.len;
-
- EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
- EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
-
+ if (s->s3->handshake_buffer) {
+ BIO_free(s->s3->handshake_buffer);
+ }
+ if (s->s3->handshake_dgst) {
+ ssl3_free_digest_list(s);
+ }
memset(s->s3,0,sizeof *s->s3);
s->s3->rbuf.buf = rp;
s->s3->wbuf.buf = wp;
.
patch -p0 <<' .'
Index: openssl/ssl/s3_pkt.c
============================================================
================
$ cvs diff -u -r1.62 -r1.63 s3_pkt.c
--- openssl/ssl/s3_pkt.c 4 Jun 2007 17:04:35 -0000 1.62
+++ openssl/ssl/s3_pkt.c 31 Aug 2007 12:42:50 -0000 1.63
-1307,8 +1307,6
}
s->s3->tmp.peer_finish_md_len =
s->method->ssl3_enc->final_finish_mac(s,
- &(s->s3->finish_dgst1),
- &(s->s3->finish_dgst2),
sender,slen,s->s3->tmp.peer_finish_md);
return(1);
.
patch -p0 <<' .'
Index: openssl/ssl/s3_srvr.c
============================================================
================
$ cvs diff -u -r1.154 -r1.155 s3_srvr.c
--- openssl/ssl/s3_srvr.c 20 Aug 2007 12:35:20
-0000 1.154
+++ openssl/ssl/s3_srvr.c 31 Aug 2007 12:42:50
-0000 1.155
-502,12 +502,15
/* We need to get hashes here so if there is
* a client cert, it can be verified
+ * FIXME - digest processing for CertificateVerify
+ * should be generalized. But it is next step
*/
+
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst1),
+ NID_md5,
&(s->s3->tmp.cert_verify_md[0]));
s->method->ssl3_enc->cert_verify_mac(s,
- &(s->s3->finish_dgst2),
+ NID_sha1,
&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
}
break;
-1026,6 +1029,7
goto f_err;
}
s->s3->tmp.new_cipher=c;
+ ssl3_digest_cached_records(s);
}
else
{
-1056,6 +1060,9
else
#endif
s->s3->tmp.new_cipher=s->session->cipher;
+ /* Clear cached handshake records */
+ BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
}
/* we now have the following setup.
.
patch -p0 <<' .'
Index: openssl/ssl/ssl.h
============================================================
================
$ cvs diff -u -r1.196 -r1.197 ssl.h
--- openssl/ssl/ssl.h 28 Aug 2007 01:08:44 -0000 1.196
+++ openssl/ssl/ssl.h 31 Aug 2007 12:42:51 -0000 1.197
-1868,7 +1868,10
#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
-
+#define SSL_F_TLS1_FINAL_FINISH_MAC 283
+#define SSL_F_TLS1_PRF 284
+#define SSL_F_SSL3_HANDSHAKE_MAC 285
+#define SSL_F_TLS1_CERT_VERIFY_MAC 286
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
#define
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-2123,6 +2126,8
#define SSL_R_WRONG_VERSION_NUMBER 267
#define SSL_R_X509_LIB 268
#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269
+#define SSL_R_UNSUPPORTED_DIGEST_TYPE 270
+#define SSL_R_NO_REQUIRED_DIGEST 324
#ifdef __cplusplus
}
.
patch -p0 <<' .'
Index: openssl/ssl/ssl3.h
============================================================
================
$ cvs diff -u -r1.39 -r1.40 ssl3.h
--- openssl/ssl/ssl3.h 11 Aug 2007 23:18:23 -0000 1.39
+++ openssl/ssl/ssl3.h 31 Aug 2007 12:42:51 -0000 1.40
-419,9 +419,11
const unsigned char *wpend_buf;
/* used during startup, digest all incoming/outgoing
packets */
- EVP_MD_CTX finish_dgst1;
- EVP_MD_CTX finish_dgst2;
-
+ BIO *handshake_buffer;
+ /* When set of handshake digests is determined, buffer
is hashed
+ * and freed and MD_CTX-es for all required digests are
stored in
+ * this array */
+ EVP_MD_CTX **handshake_dgst;
/* this is set whenerver we see a change_cipher_spec
message
* come in when we are not looking for one */
int change_cipher_spec;
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_ciph.c
============================================================
================
$ cvs diff -u -r1.74 -r1.75 ssl_ciph.c
--- openssl/ssl/ssl_ciph.c 4 Jun 2007 17:04:36 -0000 1.74
+++ openssl/ssl/ssl_ciph.c 31 Aug 2007 12:42:51
-0000 1.75
-175,7 +175,10
#define SSL_MD_SHA1_IDX 1
#define SSL_MD_GOST94_IDX 2
#define SSL_MD_GOST89MAC_IDX 3
-#define SSL_MD_NUM_IDX 4
+/*Constant SSL_MAX_DIGEST equal to size of digests array
should be
+ * defined in the
+ * ssl_locl.h */
+#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
static const EVP_MD
*ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,NULL,NULL
};
-191,6 +194,11
0,0,0,0
};
+static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
+ SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
+ SSL_HANDSHAKE_MAC_GOST94,0
+ };
+
#define CIPHER_ADD 1
#define CIPHER_KILL 2
#define CIPHER_DEL 3
-299,6 +307,22
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
};
+/* Search for public key algorithm with given name and
+ * return its pkey_id if it is available. Otherwise
return 0
+ */
+static int get_optional_pkey_id(const char *pkey_name)
+ {
+ const EVP_PKEY_ASN1_METHOD *ameth;
+ ENGINE *tmpeng = NULL;
+ int pkey_id=0;
+ ameth =
EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
+ if (ameth)
+ {
+ EVP_PKEY_asn1_get0_info(&pkey_id,
NULL,NULL,NULL,NULL,ameth);
+ }
+ if (tmpeng) ENGINE_finish(tmpeng);
+ return pkey_id;
+ }
void ssl_load_ciphers(void)
{
-346,19 +370,10
}
ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
- {
- const EVP_PKEY_ASN1_METHOD *ameth;
- ENGINE *tmpeng = NULL;
- int pkey_id;
- ameth =
EVP_PKEY_asn1_find_str(&tmpeng,"gost-mac",-1);
- if (ameth)
- {
- EVP_PKEY_asn1_get0_info(&pkey_id,
NULL,NULL,NULL,NULL,ameth);
- ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]= pkey_id;
+ ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] =
get_optional_pkey_id("gost-mac");
+ if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
- }
- if (tmpeng) ENGINE_finish(tmpeng);
- }
+ }
}
#ifndef OPENSSL_NO_COMP
-534,6 +549,18
return(0);
}
+int ssl_get_handshake_digest(int idx, long *mask, const
EVP_MD **md)
+{
+ if (idx <0||idx>=SSL_MD_NUM_IDX)
+ {
+ return 0;
+ }
+ if (ssl_handshake_digest_flag[idx]==0) return 0;
+ *mask = ssl_handshake_digest_flag[idx];
+ *md = ssl_digest_methods[idx];
+ return 1;
+}
+
#define ITEM_SEP(a)
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) ==
','))
-605,9 +632,23
*mkey |= SSL_kPSK;
*auth |= SSL_aPSK;
#endif
+ /* Check for presence of GOST 34.10 algorithms, and if
they
+ * do not present, disable appropriate auth and key
exchange */
+ if (!get_optional_pkey_id("gost94")) {
+ *auth |= SSL_aGOST94;
+ }
+ if (!get_optional_pkey_id("gost2001")) {
+ *auth |= SSL_aGOST01;
+ }
+ /* Disable GOST key exchange if no GOST signature algs
are available * */
+ if ((*auth & (SSL_aGOST94|SSL_aGOST01)) ==
(SSL_aGOST94|SSL_aGOST01)) {
+ *mkey |= SSL_kGOST;
+ }
#ifdef SSL_FORBID_ENULL
*enc |= SSL_eNULL;
#endif
+
+
*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ?
SSL_DES :0;
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ?
SSL_3DES:0;
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_err.c
============================================================
================
$ cvs diff -u -r1.64 -r1.65 ssl_err.c
--- openssl/ssl/ssl_err.c 28 Aug 2007 01:08:45 -0000 1.64
+++ openssl/ssl/ssl_err.c 31 Aug 2007 12:42:51 -0000 1.65
-255,6 +255,10
{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1
_PREPARE_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_
BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_TLS1_FINAL_FINISH_MAC),"tls1_final_fin
ish_mac"},
+{ERR_FUNC(SSL_F_TLS1_PRF),"tls1_prf"},
+{ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC),"ssl3_handshake_ma
c"},
+{ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC),"tls1_cert_verif
y_mac"},
{0,NULL}
};
-513,6 +517,8
{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong
version number"},
{ERR_REASON(SSL_R_X509_LIB) ,"x509
lib"},
{ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x5
09 verification setup problems"},
+{ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE),"unsupporte
d digest type"},
+{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST),"digest
requred for handshake isn't computed"},
{0,NULL}
};
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_lib.c
============================================================
================
$ cvs diff -u -r1.159 -r1.160 ssl_lib.c
--- openssl/ssl/ssl_lib.c 12 Aug 2007 18:56:13
-0000 1.159
+++ openssl/ssl/ssl_lib.c 31 Aug 2007 12:42:51
-0000 1.160
-165,9 +165,9
ssl_undefined_function,
(int (*)(SSL *, unsigned char *, unsigned char *,
int))ssl_undefined_function,
(int (*)(SSL*, int))ssl_undefined_function,
- (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*,
int, unsigned char *))ssl_undefined_function,
+ (int (*)(SSL *, const char*, int, unsigned char
*))ssl_undefined_function,
0, /* finish_mac_length */
- (int (*)(SSL *, EVP_MD_CTX *, unsigned char
*))ssl_undefined_function,
+ (int (*)(SSL *, const EVP_MD *, unsigned char
*))ssl_undefined_function,
NULL, /* client_finished_label */
0, /* client_finished_label_len */
NULL, /* server_finished_label */
.
patch -p0 <<' .'
Index: openssl/ssl/ssl_locl.h
============================================================
================
$ cvs diff -u -r1.84 -r1.85 ssl_locl.h
--- openssl/ssl/ssl_locl.h 20 Aug 2007 12:35:20
-0000 1.84
+++ openssl/ssl/ssl_locl.h 31 Aug 2007 12:42:51
-0000 1.85
-286,7 +286,7
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA
cert */
#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
#define SSL_kPSK 0x00000100L /* PSK */
-
+#define SSL_kGOST 0x00000200L /* GOST key exchange
*/
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
-297,6 +297,8
#define SSL_aKRB5 0x00000020L /* KRB5 auth
*/
#define SSL_aECDSA 0x00000040L /* ECDSA
auth*/
#define SSL_aPSK 0x00000080L /* PSK auth
*/
+#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94
signature auth */
+#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001
signature auth */
/* Bits for algorithm_enc (symmetric encryption) */
-328,7 +330,24
#define SSL_SSLV3 0x00000002L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
+/* Bits for algorithm2 (handshake digests) */
+
+#define SSL_HANDSHAKE_MAC_MD5 0x10
+#define SSL_HANDSHAKE_MAC_SHA 0x20
+#define SSL_HANDSHAKE_MAC_GOST94 0x40
+#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5
| SSL_HANDSHAKE_MAC_SHA)
+
+
+/* When adding new digest in the ssl_ciph.c and increment
SSM_MD_NUM_IDX
+ * make sure to update this constant too */
+#define SSL_MAX_DIGEST 4
+
+#define TLS1_PRF_DGST_SHIFT 8
+#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 <<
TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA <<
TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94
<< TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
/*
* Export and cipher strength information. For each
cipher we have to decide
* whether it is exportable or not. This information is
likely to change
-398,7 +417,9
#define SSL_PKEY_DH_RSA 3
#define SSL_PKEY_DH_DSA 4
#define SSL_PKEY_ECC 5
-#define SSL_PKEY_NUM 6
+#define SSL_PKEY_GOST94 6
+#define SSL_PKEY_GOST01 7
+#define SSL_PKEY_NUM 8
/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) &
RSA_SIGN)
-516,9 +537,9
int (*setup_key_block)(SSL *);
int (*generate_master_secret)(SSL *, unsigned char *,
unsigned char *, int);
int (*change_cipher_state)(SSL *, int);
- int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX
*, const char *, int, unsigned char *);
+ int (*final_finish_mac)(SSL *, const char *, int,
unsigned char *);
int finish_mac_length;
- int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned
char *);
+ int (*cert_verify_mac)(SSL *, int, unsigned char *);
const char *client_finished_label;
int client_finished_label_len;
const char *server_finished_label;
-755,6 +776,7
void ssl_update_cache(SSL *s, int mode);
int ssl_cipher_get_evp(const SSL_SESSION *s,const
EVP_CIPHER **enc,
const EVP_MD **md,int *mac_pkey_type,int
*mac_secret_size, SSL_COMP **comp);
+int ssl_get_handshake_digest(int i,long *mask,const
EVP_MD **md);
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
int ssl_undefined_function(SSL *s);
int ssl_undefined_void_function(void);
-820,16 +842,17
int ssl3_dispatch_alert(SSL *s);
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf,
int len, int peek);
int ssl3_write_bytes(SSL *s, int type, const void *buf,
int len);
-int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,
EVP_MD_CTX *ctx2,
- const char *sender, int slen,unsigned char *p);
-int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned
char *p);
+int ssl3_final_finish_mac(SSL *s, const char *sender, int
slen,unsigned char *p);
+int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned
char *p);
void ssl3_finish_mac(SSL *s, const unsigned char *buf,
int len);
int ssl3_enc(SSL *s, int send_data);
int ssl3_mac(SSL *ssl, unsigned char *md, int
send_data);
+void ssl3_free_digest_list(SSL *s);
unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
SSL_CIPHER *ssl3_choose_cipher(SSL
*ssl,STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr);
int ssl3_setup_buffers(SSL *s);
+void ssl3_digest_cached_records(SSL *s);
int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
int ssl3_accept(SSL *s);
-957,9 +980,9
int tls1_change_cipher_state(SSL *s, int which);
int tls1_setup_key_block(SSL *s);
int tls1_enc(SSL *s, int snd);
-int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx,
EVP_MD_CTX *in2_ctx,
+int tls1_final_finish_mac(SSL *s,
const char *str, int slen, unsigned char *p);
-int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned
char *p);
+int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned
char *p);
int tls1_mac(SSL *ssl, unsigned char *md, int snd);
int tls1_generate_master_secret(SSL *s, unsigned char
*out,
unsigned char *p, int len);
.
patch -p0 <<' .'
Index: openssl/ssl/t1_enc.c
============================================================
================
$ cvs diff -u -r1.44 -r1.45 t1_enc.c
--- openssl/ssl/t1_enc.c 4 Jun 2007 17:04:39 -0000 1.44
+++ openssl/ssl/t1_enc.c 31 Aug 2007 12:42:51 -0000 1.45
-190,27 +190,41
OPENSSL_cleanse(A1,sizeof(A1));
}
-static void tls1_PRF(const EVP_MD *md5, const EVP_MD
*sha1,
+static void tls1_PRF(long digest_mask,
unsigned char *label, int label_len,
const unsigned char *sec, int slen, unsigned char
*out1,
unsigned char *out2, int olen)
{
- int len,i;
- const unsigned char *S1,*S2;
-
- len=slen/2;
+ int len,i,idx,count;
+ const unsigned char *S1;
+ long m;
+ const EVP_MD *md;
+
+ /* Count number of digests and divide sec evenly */
+ count=0;
+ for
(idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++)
{
+ if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask)
count++;
+ }
+ len=slen/count;
S1=sec;
- S2= &(sec[len]);
- len+=(slen&1); /* add for odd, make longer */
-
-
- tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
- tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
-
- for (i=0; i<olen; i++)
- out1[i]^=out2[i];
+ memset(out1,0,olen);
+ for
(idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++)
{
+ if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask)
{
+ if (!md) {
+ SSLerr(SSL_F_TLS1_PRF,
+ SSL_R_UNSUPPORTED_DIGEST_TYPE);
+ return;
+ }
+ tls1_P_hash(md
,S1,len+(slen&1),label,label_len,out2,olen);
+ S1+=len;
+ for (i=0; i<olen; i++)
+ {
+ out1[i]^=out2[i];
+ }
+ }
}
+}
static void tls1_generate_key_block(SSL *s, unsigned char
*km,
unsigned char *tmp, int num)
{
-227,7 +241,7
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-
buf),
+ tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(i
nt)(p-buf),
s->session->master_key,s->session->master_key_le
ngth,
km,tmp,num);
#ifdef KSSL_DEBUG
-436,7 +450,7
p+=SSL3_RANDOM_SIZE;
memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p
-buf),key,j,
+ tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(
int)(p-buf),key,j,
tmp1,tmp2,EVP_CIPHER_key_length(c));
key=tmp1;
-450,7 +464,7
p+=SSL3_RANDOM_SIZE;
memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,
empty,0,
+ tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,
p-buf,empty,0,
iv1,iv2,k*2);
if (client_write)
iv=iv1;
-720,40 +734,63
}
return(1);
}
-
-int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx,
unsigned char *out)
+int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned
char *out)
{
unsigned int ret;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX ctx, *d=NULL;
+ int i;
+
+ if (s->s3->handshake_buffer)
+ ssl3_digest_cached_records(s);
+ for (i=0;i<SSL_MAX_DIGEST;i++)
+ {
+ if
(s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s-&
gt;s3->handshake_dgst[i])==md_nid)
+ {
+ d=s->s3->handshake_dgst[i];
+ break;
+ }
+ }
+ if (!d) {
+ SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGES
T);
+ return 0;
+ }
EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_copy_ex(&ctx,in_ctx);
+ EVP_MD_CTX_copy_ex(&ctx,d);
EVP_DigestFinal_ex(&ctx,out,&ret);
EVP_MD_CTX_cleanup(&ctx);
return((int)ret);
}
-int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx,
EVP_MD_CTX *in2_ctx,
+int tls1_final_finish_mac(SSL *s,
const char *str, int slen, unsigned char *out)
{
unsigned int i;
EVP_MD_CTX ctx;
unsigned char
buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGT
H];
unsigned char *q,buf2[12];
+ int idx;
+ long mask;
+ const EVP_MD *md;
q=buf;
memcpy(q,str,slen);
q+=slen;
EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
- EVP_DigestFinal_ex(&ctx,q,&i);
- q+=i;
- EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
- EVP_DigestFinal_ex(&ctx,q,&i);
- q+=i;
- tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-
buf),
+ if (s->s3->handshake_buffer)
+ ssl3_digest_cached_records(s);
+
+ for
(idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++
) {
+ if (mask &
s->s3->tmp.new_cipher->algorithm2) {
+ EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[
idx]);
+ EVP_DigestFinal_ex(&ctx,q,&i);
+ q+=i;
+ }
+ }
+
+ tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(i
nt)(q-buf),
s->session->master_key,s->session->master_key_
length,
out,buf2,sizeof buf2);
EVP_MD_CTX_cleanup(&ctx);
-853,7 +890,7
s->s3->client_random,SSL3_RANDOM_SIZE);
memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONS
T_SIZE]),
s->s3->server_random,SSL3_RANDOM_SIZE);
- tls1_PRF(s->ctx->md5,s->ctx->sha1,
+ tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,l
en,
s->session->master_key,buff,sizeof buff);
#ifdef KSSL_DEBUG
.
patch -p0 <<' .'
Index: openssl/ssl/tls1.h
============================================================
================
$ cvs diff -u -r1.35 -r1.36 tls1.h
--- openssl/ssl/tls1.h 28 Aug 2007 01:08:45 -0000 1.35
+++ openssl/ssl/tls1.h 31 Aug 2007 12:42:52 -0000 1.36
-420,6 +420,7
/* Stream MAC for GOST ciphersuites from cryptopro draft
*/
#define TLS1_STREAM_MAC 0x04
+
#define TLS_CT_RSA_SIGN 1
#define TLS_CT_DSS_SIGN 2
#define TLS_CT_RSA_FIXED_DH 3
.
patch -p0 <<' .'
Index: openssl/util/ssleay.num
============================================================
================
$ cvs diff -u -r1.50 -r1.51 ssleay.num
--- openssl/util/ssleay.num 12 Aug 2007 23:59:04
-0000 1.50
+++ openssl/util/ssleay.num 31 Aug 2007 12:42:53
-0000 1.51
-239,17 +239,17
SSL_CTX_get_client_cert_cb
288 EXIST::FUNCTION:
SSL_CTX_sess_get_remove_cb
289 EXIST::FUNCTION:
SSL_set_SSL_CTX
290 EXIST::FUNCTION:
-SSL_get_servername
291 EXIST::FUNCTION:TLSEXT
-SSL_get_servername_type
292 EXIST::FUNCTION:TLSEXT
-SSL_CTX_use_psk_identity_hint
293 EXIST::FUNCTION:PSK
-SSL_CTX_set_psk_client_callback
294 EXIST::FUNCTION:PSK
-PEM_write_bio_SSL_SESSION
295 EXIST::FUNCTION:
-SSL_get_psk_identity_hint
296 EXIST::FUNCTION:PSK
-SSL_set_psk_server_callback
297 EXIST::FUNCTION:PSK
-SSL_use_psk_identity_hint
298 EXIST::FUNCTION:PSK
-SSL_set_psk_client_callback
299 EXIST::FUNCTION:PSK
-PEM_read_SSL_SESSION
300 EXIST:!WIN16:FUNCTION:
-PEM_read_bio_SSL_SESSION
301 EXIST::FUNCTION:
-SSL_CTX_set_psk_server_callback
302 EXIST::FUNCTION:PSK
-SSL_get_psk_identity
303 EXIST::FUNCTION:PSK
+SSL_CTX_use_psk_identity_hint
291 EXIST::FUNCTION:PSK
+SSL_CTX_set_psk_client_callback
292 EXIST::FUNCTION:PSK
+SSL_get_psk_identity_hint
293 EXIST::FUNCTION:PSK
+SSL_set_psk_server_callback
294 EXIST::FUNCTION:PSK
+SSL_use_psk_identity_hint
295 EXIST::FUNCTION:PSK
+SSL_set_psk_client_callback
296 EXIST::FUNCTION:PSK
+SSL_get_servername
297 EXIST::FUNCTION:TLSEXT
+SSL_get_servername_type
298 EXIST::FUNCTION:TLSEXT
+SSL_CTX_set_psk_server_callback
299 EXIST::FUNCTION:PSK
+SSL_get_psk_identity
300 EXIST::FUNCTION:PSK
+PEM_write_bio_SSL_SESSION
301 EXIST::FUNCTION:
+PEM_read_SSL_SESSION
302 EXIST:!WIN16:FUNCTION:
+PEM_read_bio_SSL_SESSION
303 EXIST::FUNCTION:
PEM_write_SSL_SESSION
304 EXIST:!WIN16:FUNCTION:
.
____________________________________________________________
__________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List
openssl-cvsopenssl.org
A |
