mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove support for all 40 and 56 bit ciphers.

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
This commit is contained in:
Kurt Roeckx 2015-12-05 02:04:41 +01:00
parent fe6ef2472d
commit 361a119127
24 changed files with 293 additions and 1419 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -4,6 +4,11 @@
Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
*) Remove support for all 40 and 56 bit ciphers. This includes all the export
ciphers who are no longer supported and drops support the ephemeral RSA key
exchange. The LOW ciphers currently doesn't have any ciphers in it.
[Kurt Roeckx]
*) Added ASYNC support. Libcrypto now includes the async sub-library to enable
cryptographic operations to be performed asynchronously as long as an
asynchronous capable engine is used. See the ASYNC_start_job() man page for

47
apps/s_server.c
View File

@ -190,9 +190,6 @@ typedef unsigned int u_int;
# undef FIONBIO
#endif
#ifndef OPENSSL_NO_RSA
static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
static int sv_body(char *hostname, int s, int stype, unsigned char *context);
static int www_body(char *hostname, int s, int stype, unsigned char *context);
@ -807,7 +804,7 @@ typedef enum OPTION_choice {
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
OPT_QUIET, OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_ECDHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,
OPT_SSL3,
@ -866,7 +863,6 @@ OPTIONS s_server_options[] = {
"Do not load certificates from the default certificates directory"},
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"},
{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
@ -1004,7 +1000,7 @@ int s_server_main(int argc, char *argv[])
#ifndef OPENSSL_NO_DH
int no_dhe = 0;
#endif
int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0, ret = 1;
int no_ecdhe = 0, nocert = 0, ret = 1;
int noCApath = 0, noCAfile = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
@ -1295,9 +1291,6 @@ int s_server_main(int argc, char *argv[])
case OPT_BRIEF:
s_quiet = s_brief = verify_quiet = 1;
break;
case OPT_NO_TMP_RSA:
no_tmp_rsa = 1;
break;
case OPT_NO_DHE:
#ifndef OPENSSL_NO_DH
no_dhe = 1;
@ -1824,13 +1817,6 @@ int s_server_main(int argc, char *argv[])
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
goto end;
}
#ifndef OPENSSL_NO_RSA
if (!no_tmp_rsa) {
SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
if (ctx2)
SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
}
#endif
if (no_resume_ephemeral) {
SSL_CTX_set_not_resumable_session_callback(ctx,
@ -3135,35 +3121,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
return (ret);
}
#ifndef OPENSSL_NO_RSA
static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
{
BIGNUM *bn = NULL;
static RSA *rsa_tmp = NULL;
if (!rsa_tmp && ((bn = BN_new()) == NULL))
BIO_printf(bio_err, "Allocation error in generating RSA key\n");
if (!rsa_tmp && bn) {
if (!s_quiet) {
BIO_printf(bio_err, "Generating temp (%d bit) RSA key...",
keylength);
(void)BIO_flush(bio_err);
}
if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
RSA_free(rsa_tmp);
rsa_tmp = NULL;
}
if (!s_quiet) {
BIO_printf(bio_err, "\n");
(void)BIO_flush(bio_err);
}
BN_free(bn);
}
return (rsa_tmp);
}
#endif
#define MAX_SESSION_ID_ATTEMPTS 10
static int generate_session_id(const SSL *ssl, unsigned char *id,
unsigned int *id_len)

15
demos/easy_tls/easy-tls.c
View File

@ -651,7 +651,6 @@ struct tls_create_ctx_args tls_create_ctx_defaultargs(void)
ret.ca_file = NULL;
ret.verify_depth = -1;
ret.fail_unless_verified = 0;
ret.export_p = 0;
return ret;
}
@ -781,20 +780,6 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
/* avoid small subgroup attacks: */
SSL_CTX_set_options(ret, SSL_OP_SINGLE_DH_USE);
}
#ifndef NO_RSA
if (!a.client_p && a.export_p) {
RSA *tmpkey;
tmpkey = RSA_generate_key(512, RSA_F4, 0, NULL);
if (tmpkey == NULL)
goto err;
if (!SSL_CTX_set_tmp_rsa(ret, tmpkey)) {
RSA_free(tmpkey);
goto err;
}
RSA_free(tmpkey); /* SSL_CTX_set_tmp_rsa uses a duplicate. */
}
#endif
return ret;

1
demos/easy_tls/easy-tls.h
View File

@ -34,7 +34,6 @@ struct tls_create_ctx_args {
const char *ca_file;
int verify_depth;
int fail_unless_verified;
int export_p;
};
struct tls_create_ctx_args tls_create_ctx_defaultargs(void);
/*

32
doc/apps/ciphers.pod
View File

@ -168,18 +168,6 @@ encryption.
"low" encryption cipher suites, currently those using 64 or 56 bit encryption
algorithms but excluding export cipher suites.
=item B<EXP>, B<EXPORT>
export encryption algorithms. Including 40 and 56 bits algorithms.
=item B<EXPORT40>
40 bit export encryption algorithms
=item B<EXPORT56>
56 bit export encryption algorithms. This list is empty.
=item B<eNULL>, B<NULL>
the "NULL" ciphers that is those offering no encryption. Because these offer no
@ -387,12 +375,9 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
SSL_RSA_WITH_NULL_MD5 NULL-MD5
SSL_RSA_WITH_NULL_SHA NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 RC4-MD5
SSL_RSA_WITH_RC4_128_SHA RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
@ -400,16 +385,12 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH-DSS-DES-CBC3-SHA
SSL_DH_RSA_WITH_DES_CBC_SHA DH-RSA-DES-CBC-SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH-RSA-DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-DHE-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DHE-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5
SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA
SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
@ -421,31 +402,22 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
TLS_RSA_WITH_NULL_MD5 NULL-MD5
TLS_RSA_WITH_NULL_SHA NULL-SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5
TLS_RSA_WITH_RC4_128_MD5 RC4-MD5
TLS_RSA_WITH_RC4_128_SHA RC4-SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5
TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA
TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented.
TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented.
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented.
TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented.
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-DHE-DSS-DES-CBC-SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA DHE-DSS-CBC-SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DHE-RSA-DES-CBC-SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA DHE-RSA-DES-CBC-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE-RSA-DES-CBC3-SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5
TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA
TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA
@ -511,10 +483,6 @@ algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
Note: these ciphers can also be used in SSL v3.
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
=head2 Elliptic curve cipher suites.

6
doc/apps/s_server.pod
View File

@ -66,7 +66,6 @@ B<openssl> B<s_server>
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl3>]
[B<-tls1>]
[B<-dtls>]
@ -186,11 +185,6 @@ disabling the ephemeral DH cipher suites.
if this option is set then no ECDH parameters will be loaded effectively
disabling the ephemeral ECDH cipher suites.
=item B<-no_tmp_rsa>
certain export cipher suites sometimes use a temporary RSA key, this option
disables temporary RSA key generation.
=item B<-crl_check>, B<-crl_check_all>
Check the peer certificate has not been revoked by its CA.

5
doc/ssl/SSL_CTX_set_cipher_list.pod
View File

@ -37,10 +37,6 @@ ADH ciphers don't need a certificate, but DH-parameters must have been set.
All other ciphers need a corresponding certificate and key.
A RSA cipher can only be chosen, when a RSA certificate is available.
RSA export ciphers with a keylength of 512 bits for the RSA key require
a temporary 512 bit RSA key, as typically the supplied key has a length
of 1024 bit (see
L<SSL_CTX_set_tmp_rsa_callback(3)>).
RSA ciphers using DHE need a certificate and key and additional DH-parameters
(see L<SSL_CTX_set_tmp_dh_callback(3)>).
@ -63,7 +59,6 @@ could be selected and 0 on complete failure.
L<ssl(3)>, L<SSL_get_ciphers(3)>,
L<SSL_CTX_use_certificate(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<ciphers(1)>

1
doc/ssl/SSL_CTX_set_options.pod
View File

@ -269,7 +269,6 @@ secure renegotiation and 0 if it does not.
L<ssl(3)>, L<SSL_new(3)>, L<SSL_clear(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)>,
L<dhparam(1)>
=head1 HISTORY

159
doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
View File

@ -1,159 +0,0 @@
=pod
=head1 NAME
SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa - handle RSA keys for ephemeral key exchange
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);
long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx);
void SSL_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa)
long SSL_need_tmp_rsa(SSL *ssl)
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength);
=head1 DESCRIPTION
SSL_CTX_set_tmp_rsa_callback() sets the callback function for B<ctx> to be
used when a temporary/ephemeral RSA key is required to B<tmp_rsa_callback>.
The callback is inherited by all SSL objects newly created from B<ctx>
with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
SSL_CTX_set_tmp_rsa() sets the temporary/ephemeral RSA key to be used to be
B<rsa>. The key is inherited by all SSL objects newly created from B<ctx>
with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
SSL_CTX_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed
for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
with a keysize larger than 512 bits is installed.
SSL_set_tmp_rsa_callback() sets the callback only for B<ssl>.
SSL_set_tmp_rsa() sets the key only for B<ssl>.
SSL_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed,
for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
with a keysize larger than 512 bits is installed.
These functions apply to SSL/TLS servers only.
=head1 NOTES
When using a cipher with RSA authentication, an ephemeral RSA key exchange
can take place. In this case the session data are negotiated using the
ephemeral/temporary RSA key and the RSA key supplied and certified
by the certificate chain is only used for signing.
Under previous export restrictions, ciphers with RSA keys shorter (512 bits)
than the usual key length of 1024 bits were created. To use these ciphers
with RSA keys of usual length, an ephemeral key exchange must be performed,
as the normal (certified) key cannot be directly used.
Using ephemeral RSA key exchange yields forward secrecy, as the connection
can only be decrypted, when the RSA key is known. By generating a temporary
RSA key inside the server application that is lost when the application
is left, it becomes impossible for an attacker to decrypt past sessions,
even if he gets hold of the normal (certified) RSA key, as this key was
used for signing only. The downside is that creating a RSA key is
computationally expensive.
Additionally, the use of ephemeral RSA key exchange is only allowed in
the TLS standard, when the RSA key can be used for signing only, that is
for export ciphers. Using ephemeral RSA key exchange for other purposes
violates the standard and can break interoperability with clients.
It is therefore strongly recommended to not use ephemeral RSA key
exchange and use DHE (Ephemeral Diffie-Hellman) key exchange instead
in order to achieve forward secrecy (see
L<SSL_CTX_set_tmp_dh_callback(3)>).
An application may either directly specify the key or can supply the key via a
callback function. The callback approach has the advantage, that the callback
may generate the key only in case it is actually needed. As the generation of a
RSA key is however costly, it will lead to a significant delay in the handshake
procedure. Another advantage of the callback function is that it can supply
keys of different size while the explicit setting of the key is only useful for
key size of 512 bits to satisfy the export restricted ciphers and does give
away key length if a longer key would be allowed.
The B<tmp_rsa_callback> is called with the B<keylength> needed and
the B<is_export> information. The B<is_export> flag is set, when the
ephemeral RSA key exchange is performed with an export cipher.
=head1 EXAMPLES
Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the
generation of a RSA key costs a lot of computer time, they saved for later
reuse. For demonstration purposes, two keys for 512 bits and 1024 bits
respectively are generated.
...
/* Set up ephemeral RSA stuff */
RSA *rsa_512 = NULL;
RSA *rsa_1024 = NULL;
rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
if (rsa_512 == NULL)
evaluate_error_queue();
rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
if (rsa_1024 == NULL)
evaluate_error_queue();
...
RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
{
RSA *rsa_tmp=NULL;
switch (keylength) {
case 512:
if (rsa_512)
rsa_tmp = rsa_512;
else { /* generate on the fly, should not happen in this example */
rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
rsa_512 = rsa_tmp; /* Remember for later reuse */
}
break;
case 1024:
if (rsa_1024)
rsa_tmp=rsa_1024;
else
should_not_happen_in_this_example();
break;
default:
/* Generating a key on the fly is very costly, so use what is there */
if (rsa_1024)
rsa_tmp=rsa_1024;
else
rsa_tmp=rsa_512; /* Use at least a shorter key */
}
return(rsa_tmp);
}
=head1 RETURN VALUES
SSL_CTX_set_tmp_rsa_callback() and SSL_set_tmp_rsa_callback() do not return
diagnostic output.
SSL_CTX_set_tmp_rsa() and SSL_set_tmp_rsa() do return 1 on success and 0
on failure. Check the error queue to find out the reason of failure.
SSL_CTX_need_tmp_rsa() and SSL_need_tmp_rsa() return 1 if a temporary
RSA key is needed and 0 otherwise.
=head1 SEE ALSO
L<ssl(3)>, L<SSL_CTX_set_cipher_list(3)>,
L<SSL_CTX_set_options(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_new(3)>, L<ciphers(1)>
=cut

20
doc/ssl/ssl.pod
View File

@ -331,25 +331,6 @@ Use the file path to locate trusted CA certficates.
=item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
=item long B<SSL_CTX_set_tmp_rsa>(SSL_CTX *ctx, RSA *rsa);
=item SSL_CTX_set_tmp_rsa_callback
C<long B<SSL_CTX_set_tmp_rsa_callback>(SSL_CTX *B<ctx>, RSA *(*B<cb>)(SSL *B<ssl>, int B<export>, int B<keylength>));>
Sets the callback which will be called when a temporary private key is
required. The B<C<export>> flag will be set if the reason for needing
a temp key is that an export ciphersuite is in use, in which case,
B<C<keylength>> will contain the required keylength in bits. Generate a key of
appropriate size (using ???) and return it.
=item SSL_set_tmp_rsa_callback
long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength));
The same as B<SSL_CTX_set_tmp_rsa_callback>, except it operates on an SSL
session instead of a context.
=item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
=item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
@ -713,7 +694,6 @@ L<SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_set_session_id_context(3)>,
L<SSL_CTX_set_ssl_version(3)>,
L<SSL_CTX_set_timeout(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_CTX_set_verify(3)>,
L<SSL_CTX_use_certificate(3)>,

31
include/openssl/ssl.h
View File

@ -181,8 +181,6 @@ extern "C" {
/* These are used to specify which ciphers to use and not to use */
# define SSL_TXT_EXP40 "EXPORT40"
# define SSL_TXT_EXP56 "EXPORT56"
# define SSL_TXT_LOW "LOW"
# define SSL_TXT_MEDIUM "MEDIUM"
# define SSL_TXT_HIGH "HIGH"
@ -268,9 +266,6 @@ extern "C" {
# define SSL_TXT_TLSV1_1 "TLSv1.1"
# define SSL_TXT_TLSV1_2 "TLSv1.2"
# define SSL_TXT_EXP "EXP"
# define SSL_TXT_EXPORT "EXPORT"
# define SSL_TXT_ALL "ALL"
/*-
@ -1113,11 +1108,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_ERROR_WANT_CONNECT 7
# define SSL_ERROR_WANT_ACCEPT 8
# define SSL_ERROR_WANT_ASYNC 9
# define SSL_CTRL_NEED_TMP_RSA 1
# define SSL_CTRL_SET_TMP_RSA 2
# define SSL_CTRL_SET_TMP_DH 3
# define SSL_CTRL_SET_TMP_ECDH 4
# define SSL_CTRL_SET_TMP_RSA_CB 5
# define SSL_CTRL_SET_TMP_DH_CB 6
# define SSL_CTRL_GET_SESSION_REUSED 8
# define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
@ -1242,10 +1234,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
# define SSL_total_renegotiations(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
# define SSL_CTX_need_tmp_RSA(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
# define SSL_CTX_set_tmp_rsa(ctx,rsa) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
# define SSL_CTX_set_tmp_dh(ctx,dh) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
# define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
@ -1254,10 +1242,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_set_dh_auto(s, onoff) \
SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
# define SSL_need_tmp_RSA(ssl) \
SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
# define SSL_set_tmp_rsa(ssl,rsa) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
# define SSL_set_tmp_dh(ssl,dh) \
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
# define SSL_set_tmp_ecdh(ssl,ecdh) \
@ -1749,15 +1733,6 @@ __owur int SSL_get_ex_data_X509_STORE_CTX_idx(void);
SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
/* NB: the keylength is only applicable when is_export is true */
# ifndef OPENSSL_NO_RSA
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*cb) (SSL *ssl, int is_export,
int keylength));
void SSL_set_tmp_rsa_callback(SSL *ssl,
RSA *(*cb) (SSL *ssl, int is_export,
int keylength));
# endif
# ifndef OPENSSL_NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh) (SSL *ssl, int is_export,
@ -2259,7 +2234,6 @@ void ERR_load_SSL_strings(void);
# define SSL_R_EE_KEY_TOO_SMALL 399
# define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
# define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
# define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
# define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
# define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
# define SSL_R_EXTRA_DATA_IN_MESSAGE 153
@ -2294,16 +2268,12 @@ void ERR_load_SSL_strings(void);
# define SSL_R_MISSING_DSA_SIGNING_CERT 165
# define SSL_R_MISSING_ECDH_CERT 382
# define SSL_R_MISSING_ECDSA_SIGNING_CERT 381
# define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166
# define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167
# define SSL_R_MISSING_RSA_CERTIFICATE 168
# define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
# define SSL_R_MISSING_RSA_SIGNING_CERT 170
# define SSL_R_MISSING_SRP_PARAM 358
# define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311
# define SSL_R_MISSING_TMP_RSA_KEY 172
# define SSL_R_MISSING_TMP_RSA_PKEY 173
# define SSL_R_MISSING_VERIFY_MESSAGE 174
# define SSL_R_MULTIPLE_SGC_RESTARTS 346
# define SSL_R_NO_CERTIFICATES_RETURNED 176
@ -2395,7 +2365,6 @@ void ERR_load_SSL_strings(void);
# define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
# define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
# define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
# define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
# define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
# define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
# define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080

6
include/openssl/tls1.h
View File

@ -658,12 +658,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
* using DHE everywhere, though we may indefinitely maintain aliases for
* users or configurations that used "EDH"
*/
# define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
# define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
# define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA"
# define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DHE-DSS-DES-CBC-SHA"
# define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA "EXP1024-RC4-SHA"
# define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
# define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
# define TLS1_TXT_PSK_WITH_NULL_SHA "PSK-NULL-SHA"

36
ssl/s3_enc.c
View File

@ -197,18 +197,16 @@ int ssl3_change_cipher_state(SSL *s, int which)
unsigned char *p, *mac_secret;
unsigned char exp_key[EVP_MAX_KEY_LENGTH];
unsigned char exp_iv[EVP_MAX_IV_LENGTH];
unsigned char *ms, *key, *iv, *er1, *er2;
unsigned char *ms, *key, *iv;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
#ifndef OPENSSL_NO_COMP
COMP_METHOD *comp;
#endif
const EVP_MD *m;
EVP_MD_CTX md;
int is_exp, n, i, j, k, cl;
int n, i, j, k, cl;
int reuse_dd = 0;
is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
/* m == NULL will lead to a crash later */
@ -295,9 +293,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (i < 0)
goto err2;
cl = EVP_CIPHER_key_length(c);
j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
j = cl;
k = EVP_CIPHER_iv_length(c);
if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
(which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
@ -307,8 +303,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
n += j + j;
iv = &(p[n]);
n += k + k;
er1 = &(s->s3->client_random[0]);
er2 = &(s->s3->server_random[0]);
} else {
n = i;
ms = &(p[n]);
@ -317,8 +311,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
n += j + k;
iv = &(p[n]);
n += k;
er1 = &(s->s3->server_random[0]);
er2 = &(s->s3->client_random[0]);
}
if (n > s->s3->tmp.key_block_length) {
@ -326,28 +318,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
goto err2;
}
EVP_MD_CTX_init(&md);
memcpy(mac_secret, ms, i);
if (is_exp) {
/*
* In here I set both the read and write key/iv to the same value
* since only the correct one will be used :-).
*/
EVP_DigestInit_ex(&md, EVP_md5(), NULL);
EVP_DigestUpdate(&md, key, j);
EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
key = &(exp_key[0]);
if (k > 0) {
EVP_DigestInit_ex(&md, EVP_md5(), NULL);
EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
iv = &(exp_iv[0]);
}
}
EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
@ -370,7 +341,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
OPENSSL_cleanse(exp_key, sizeof(exp_key));
OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
EVP_MD_CTX_cleanup(&md);
return (1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);

700
ssl/s3_lib.c
View File

File diff suppressed because it is too large Load Diff

11
ssl/ssl_cert.c
View File

@ -195,14 +195,6 @@ CERT *ssl_cert_dup(CERT *cert)
ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
#ifndef OPENSSL_NO_RSA
if (cert->rsa_tmp != NULL) {
RSA_up_ref(cert->rsa_tmp);
ret->rsa_tmp = cert->rsa_tmp;
}
ret->rsa_tmp_cb = cert->rsa_tmp_cb;
#endif
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL) {
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
@ -377,9 +369,6 @@ void ssl_cert_free(CERT *c)
}
#endif
#ifndef OPENSSL_NO_RSA
RSA_free(c->rsa_tmp);
#endif
#ifndef OPENSSL_NO_DH
DH_free(c->dh_tmp);
#endif

77
ssl/ssl_ciph.c
View File

@ -399,13 +399,7 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, "TLSv1.0", 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
{0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
/* export flag */
{0, SSL_TXT_EXP, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0},
{0, SSL_TXT_EXPORT, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0},
/* strength classes */
{0, SSL_TXT_EXP40, 0, 0, 0, 0, 0, 0, SSL_EXP40, 0, 0, 0},
{0, SSL_TXT_EXP56, 0, 0, 0, 0, 0, 0, SSL_EXP56, 0, 0, 0},
{0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0},
{0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
{0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
@ -413,24 +407,12 @@ static const SSL_CIPHER cipher_aliases[] = {
{0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0},
/* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
{0, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 0,
SSL_kDHE, SSL_aDSS, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_EXPORT | SSL_EXP40,
0, 0, 0,},
{0, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 0,
SSL_kDHE, SSL_aDSS, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP | SSL_LOW,
0, 0, 0,},
{0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0,
SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, 0, 0, 0,},
{0, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 0,
SSL_kDHE, SSL_aRSA, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_EXPORT | SSL_EXP40,
0, 0, 0,},
{0, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 0,
SSL_kDHE, SSL_aRSA, SSL_DES, SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP | SSL_LOW,
0, 0, 0,},
SSL_HIGH | SSL_FIPS, 0, 0, 0,},
{0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0,
SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, 0, 0, 0,},
SSL_HIGH | SSL_FIPS, 0, 0, 0,},
};
@ -982,11 +964,7 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
continue;
if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
continue;
if ((algo_strength & SSL_EXP_MASK)
&& !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
continue;
if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
if (algo_strength && !(algo_strength & cp->algo_strength))
continue;
if ((algo_strength & SSL_DEFAULT_MASK)
&& !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
@ -1249,31 +1227,15 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
alg_mac = ca_list[j]->algorithm_mac;
}
if (ca_list[j]->algo_strength & SSL_EXP_MASK) {
if (algo_strength & SSL_EXP_MASK) {
algo_strength &=
(ca_list[j]->algo_strength & SSL_EXP_MASK) |
~SSL_EXP_MASK;
if (!(algo_strength & SSL_EXP_MASK)) {
if (ca_list[j]->algo_strength) {
if (algo_strength) {
algo_strength &= ca_list[j]->algo_strength;
if (!algo_strength) {
found = 0;
break;
}
} else
algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
}
if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
if (algo_strength & SSL_STRONG_MASK) {
algo_strength &=
(ca_list[j]->algo_strength & SSL_STRONG_MASK) |
~SSL_STRONG_MASK;
if (!(algo_strength & SSL_STRONG_MASK)) {
found = 0;
break;
}
} else
algo_strength |=
ca_list[j]->algo_strength & SSL_STRONG_MASK;
algo_strength = ca_list[j]->algo_strength;
}
if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
@ -1625,12 +1587,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
{
int is_export, pkl, kl;
const char *ver, *exp_str;
const char *ver;
const char *kx, *au, *enc, *mac;
uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
static const char *format =
"%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
"%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
alg_mkey = cipher->algorithm_mkey;
alg_auth = cipher->algorithm_auth;
@ -1638,11 +1599,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
alg_mac = cipher->algorithm_mac;
alg_ssl = cipher->algorithm_ssl;
is_export = SSL_C_IS_EXPORT(cipher);
pkl = SSL_C_EXPORT_PKEYLENGTH(cipher);
kl = SSL_C_EXPORT_KEYLENGTH(cipher);
exp_str = is_export ? " export" : "";
if (alg_ssl & SSL_SSLV3)
ver = "SSLv3";
else if (alg_ssl & SSL_TLSV1)
@ -1654,7 +1610,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
switch (alg_mkey) {
case SSL_kRSA:
kx = is_export ? (pkl == 512 ? "RSA(512)" : "RSA(1024)") : "RSA";
kx = "RSA";
break;
case SSL_kDHr:
kx = "DH/RSA";
@ -1663,7 +1619,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
kx = "DH/DSS";
break;
case SSL_kDHE:
kx = is_export ? (pkl == 512 ? "DH(512)" : "DH(1024)") : "DH";
kx = "DH";
break;
case SSL_kECDHr:
kx = "ECDH/RSA";
@ -1735,16 +1691,16 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
switch (alg_enc) {
case SSL_DES:
enc = (is_export && kl == 5) ? "DES(40)" : "DES(56)";
enc = "DES(56)";
break;
case SSL_3DES:
enc = "3DES(168)";
break;
case SSL_RC4:
enc = is_export ? (kl == 5 ? "RC4(40)" : "RC4(56)") : "RC4(128)";
enc = "RC4(128)";
break;
case SSL_RC2:
enc = is_export ? (kl == 5 ? "RC2(40)" : "RC2(56)") : "RC2(128)";
enc = "RC2(128)";
break;
case SSL_IDEA:
enc = "IDEA(128)";
@ -1834,8 +1790,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
} else if (len < 128)
return ("Buffer too small");
BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
exp_str);
BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
return (buf);
}

10
ssl/ssl_err.c
View File

@ -517,8 +517,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"empty srtp protection profile list"},
{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),
"encrypted length too long"},
{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),
"error generating tmp rsa key"},
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),
"error in received cipher list"},
{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"},
@ -559,10 +557,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_ECDH_CERT), "missing ecdh cert"},
{ERR_REASON(SSL_R_MISSING_ECDSA_SIGNING_CERT),
"missing ecdsa signing cert"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY),
"missing export tmp dh key"},
{ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY),
"missing export tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),
"missing rsa encrypting cert"},
@ -570,8 +564,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_SRP_PARAM), "can't find SRP server param"},
{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY), "missing tmp ecdh key"},
{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY), "missing tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY), "missing tmp rsa pkey"},
{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"},
{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS), "multiple sgc restarts"},
{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"},
@ -705,8 +697,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tlsv1 alert decryption failed"},
{ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),
"tlsv1 alert decrypt error"},
{ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),
"tlsv1 alert export restriction"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),
"tlsv1 alert inappropriate fallback"},
{ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),

115
ssl/ssl_lib.c
View File

@ -2004,65 +2004,44 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
CERT_PKEY *cpk;
CERT *c = s->cert;
uint32_t *pvalid = s->s3->tmp.valid_flags;
int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
int rsa_enc_export, dh_rsa_export, dh_dsa_export;
int rsa_tmp_export, dh_tmp_export, kl;
unsigned long mask_k, mask_a, emask_k, emask_a;
int rsa_enc, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign;
unsigned long mask_k, mask_a;
#ifndef OPENSSL_NO_EC
int have_ecc_cert, ecdsa_ok, ecc_pkey_size;
int have_ecc_cert, ecdsa_ok;
int ecdh_ok;
X509 *x = NULL;
EVP_PKEY *ecc_pkey = NULL;
int pk_nid = 0, md_nid = 0;
#endif
if (c == NULL)
return;
kl = SSL_C_EXPORT_PKEYLENGTH(cipher);
#ifndef OPENSSL_NO_RSA
rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
rsa_tmp_export = (c->rsa_tmp_cb != NULL ||
(rsa_tmp && RSA_size(c->rsa_tmp) * 8 <= kl));
#else
rsa_tmp = rsa_tmp_export = 0;
#endif
#ifndef OPENSSL_NO_DH
dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto);
dh_tmp_export = !c->dh_tmp_auto && (c->dh_tmp_cb != NULL ||
(dh_tmp
&& DH_size(c->dh_tmp) * 8 <= kl));
#else
dh_tmp = dh_tmp_export = 0;
dh_tmp = 0;
#endif
cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
rsa_enc = pvalid[SSL_PKEY_RSA_ENC] & CERT_PKEY_VALID;
rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
rsa_sign = pvalid[SSL_PKEY_RSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
dsa_sign = pvalid[SSL_PKEY_DSA_SIGN] & CERT_PKEY_SIGN;
cpk = &(c->pkeys[SSL_PKEY_DH_RSA]);
dh_rsa = pvalid[SSL_PKEY_DH_RSA] & CERT_PKEY_VALID;
dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_DH_DSA]);
dh_dsa = pvalid[SSL_PKEY_DH_DSA] & CERT_PKEY_VALID;
dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl);
cpk = &(c->pkeys[SSL_PKEY_ECC]);
#ifndef OPENSSL_NO_EC
have_ecc_cert = pvalid[SSL_PKEY_ECC] & CERT_PKEY_VALID;
#endif
mask_k = 0;
mask_a = 0;
emask_k = 0;
emask_a = 0;
#ifdef CIPHER_DEBUG
fprintf(stderr,
"rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
rsa_tmp, rsa_tmp_export, dh_tmp, rsa_enc,
rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
"dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
#endif
#ifndef OPENSSL_NO_GOST
@ -2083,42 +2062,30 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
}
#endif
if (rsa_enc || (rsa_tmp && rsa_sign))
if (rsa_enc)
mask_k |= SSL_kRSA;
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
emask_k |= SSL_kRSA;
if (dh_tmp_export)
emask_k |= SSL_kDHE;
if (dh_tmp)
mask_k |= SSL_kDHE;
if (dh_rsa)
mask_k |= SSL_kDHr;
if (dh_rsa_export)
emask_k |= SSL_kDHr;
if (dh_dsa)
mask_k |= SSL_kDHd;
if (dh_dsa_export)
emask_k |= SSL_kDHd;
if (mask_k & (SSL_kDHr | SSL_kDHd))
mask_a |= SSL_aDH;
if (rsa_enc || rsa_sign) {
mask_a |= SSL_aRSA;
emask_a |= SSL_aRSA;
}
if (dsa_sign) {
mask_a |= SSL_aDSS;
emask_a |= SSL_aDSS;
}
mask_a |= SSL_aNULL;
emask_a |= SSL_aNULL;
/*
* An ECC certificate may be usable for ECDH and/or ECDSA cipher suites
@ -2134,47 +2101,32 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE;
if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN))
ecdsa_ok = 0;
ecc_pkey = X509_get_pubkey(x);
ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0;
EVP_PKEY_free(ecc_pkey);
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (ecdh_ok) {
if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
mask_k |= SSL_kECDHr;
mask_a |= SSL_aECDH;
if (ecc_pkey_size <= 163) {
emask_k |= SSL_kECDHr;
emask_a |= SSL_aECDH;
}
}
if (pk_nid == NID_X9_62_id_ecPublicKey) {
mask_k |= SSL_kECDHe;
mask_a |= SSL_aECDH;
if (ecc_pkey_size <= 163) {
emask_k |= SSL_kECDHe;
emask_a |= SSL_aECDH;
}
}
}
if (ecdsa_ok) {
mask_a |= SSL_aECDSA;
emask_a |= SSL_aECDSA;
}
}
#endif
#ifndef OPENSSL_NO_EC
mask_k |= SSL_kECDHE;
emask_k |= SSL_kECDHE;
#endif
#ifndef OPENSSL_NO_PSK
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
emask_k |= SSL_kPSK;
emask_a |= SSL_aPSK;
if (mask_k & SSL_kRSA)
mask_k |= SSL_kRSAPSK;
if (mask_k & SSL_kDHE)
@ -2185,8 +2137,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
s->s3->tmp.mask_k = mask_k;
s->s3->tmp.mask_a = mask_a;
s->s3->tmp.export_mask_k = emask_k;
s->s3->tmp.export_mask_a = emask_a;
}
#ifndef OPENSSL_NO_EC
@ -2194,8 +2144,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
{
unsigned long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int keysize = 0;
int md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
uint32_t ex_kusage = X509_get_key_usage(x);
@ -2203,17 +2151,6 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
alg_k = cs->algorithm_mkey;
alg_a = cs->algorithm_auth;
if (SSL_C_IS_EXPORT(cs)) {
/* ECDH key length in export ciphers must be <= 163 bits */
pkey = X509_get_pubkey(x);
if (pkey == NULL)
return 0;
keysize = EVP_PKEY_bits(pkey);
EVP_PKEY_free(pkey);
if (keysize > 163)
return 0;
}
OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid);
if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
@ -3078,44 +3015,6 @@ int SSL_want(const SSL *s)
return (s->rwstate);
}
/**
* \brief Set the callback for generating temporary RSA keys.
* \param ctx the SSL context.
* \param cb the callback
*/
#ifndef OPENSSL_NO_RSA
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb) (SSL *ssl,
int is_export,
int keylength))
{
SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
}
void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb) (SSL *ssl,
int is_export,
int keylength))
{
SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
}
#endif
#ifdef DOXYGEN
/**
* \brief The RSA temporary key callback function.
* \param ssl the SSL session.
* \param is_export \c TRUE if the temp RSA key is for an export ciphersuite.
* \param keylength if \c is_export is \c TRUE, then \c keylength is the size
* of the required key in bits.
* \return the temporary RSA key.
* \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback
*/
RSA *cb(SSL *ssl, int is_export, int keylength)
{
}
#endif
/**
* \brief Set the callback for generating temporary DH keys.
* \param ctx the SSL context.

81
ssl/ssl_locl.h
View File

@ -438,68 +438,16 @@
*/
# define TLS1_STREAM_MAC 0x10000
/*
* Export and cipher strength information. For each cipher we have to decide
* whether it is exportable or not. This information is likely to change
* over time, since the export control rules are no static technical issue.
*
* Independent of the export flag the cipher strength is sorted into classes.
* SSL_EXP40 was denoting the 40bit US export limit of past times, which now
* is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
* again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
* since SSL_EXP64 could be similar to SSL_LOW.
* For this reason SSL_MICRO and SSL_MINI macros are included to widen the
* namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
* and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
* be possible.
*/
# define SSL_EXP_MASK 0x00000003U
# define SSL_STRONG_MASK 0x000001fcU
# define SSL_DEFAULT_MASK 0X00000200U
# define SSL_DEFAULT_MASK 0X00000020U
# define SSL_NOT_EXP 0x00000001U
# define SSL_EXPORT 0x00000002U
# define SSL_STRONG_NONE 0x00000001U
# define SSL_LOW 0x00000002U
# define SSL_MEDIUM 0x00000004U
# define SSL_HIGH 0x00000008U
# define SSL_FIPS 0x00000010U
# define SSL_NOT_DEFAULT 0x00000020U
# define SSL_STRONG_NONE 0x00000004U
# define SSL_EXP40 0x00000008U
# define SSL_MICRO (SSL_EXP40)
# define SSL_EXP56 0x00000010U
# define SSL_MINI (SSL_EXP56)
# define SSL_LOW 0x00000020U
# define SSL_MEDIUM 0x00000040U
# define SSL_HIGH 0x00000080U
# define SSL_FIPS 0x00000100U
# define SSL_NOT_DEFAULT 0x00000200U
/* we have used 000003ff - 22 bits left to go */
/*-
* Macros to check the export status and cipher strength for export ciphers.
* Even though the macros for EXPORT and EXPORT40/56 have similar names,
* their meaning is different:
* *_EXPORT macros check the 'exportable' status.
* *_EXPORT40/56 macros are used to check whether a certain cipher strength
* is given.
* Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
* algorithm structure element to be passed (algorithms, algo_strength) and no
* typechecking can be done as they are all of type unsigned long, their
* direct usage is discouraged.
* Use the SSL_C_* macros instead.
*/
# define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
# define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
# define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
# define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
# define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
# define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
# define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
(a) == SSL_DES ? 8 : 7)
# define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
# define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
(c)->algo_strength)
# define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
/* we have used 0000003f - 26 bits left to go */
/* Check if an SSL structure is using DTLS */
# define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
@ -550,8 +498,7 @@
# define SSL_PKEY_GOST_EC SSL_PKEY_NUM+1
/*-
* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
* SSL_kRSA <- RSA_ENC
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
* SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
* SSL_aRSA <- RSA_ENC | RSA_SIGN
@ -1300,7 +1247,6 @@ typedef struct ssl3_state_st {
int ctype_num;
char ctype[SSL3_CT_NUMBER];
STACK_OF(X509_NAME) *ca_names;
int use_rsa_tmp;
int key_block_length;
unsigned char *key_block;
const EVP_CIPHER *new_sym_enc;
@ -1349,8 +1295,6 @@ typedef struct ssl3_state_st {
*/
uint32_t mask_k;
uint32_t mask_a;
uint32_t export_mask_k;
uint32_t export_mask_a;
/* Client only */
uint32_t mask_ssl;
} tmp;
@ -1392,9 +1336,6 @@ typedef struct ssl3_state_st {
# endif /* !OPENSSL_NO_EC */
/* For clients: peer temporary key */
# ifndef OPENSSL_NO_RSA
RSA *peer_rsa_tmp;
# endif
# ifndef OPENSSL_NO_DH
DH *peer_dh_tmp;
# endif
@ -1559,10 +1500,6 @@ typedef struct cert_st {
* an index, not a pointer.
*/
CERT_PKEY *key;
# ifndef OPENSSL_NO_RSA
RSA *rsa_tmp;
RSA *(*rsa_tmp_cb) (SSL *ssl, int is_export, int keysize);
# endif
# ifndef OPENSSL_NO_DH
DH *dh_tmp;
DH *(*dh_tmp_cb) (SSL *ssl, int is_export, int keysize);

177
ssl/statem/statem_clnt.c
View File

@ -211,30 +211,6 @@ static int key_exchange_expected(SSL *s)
return 1;
}
/*
* Export ciphersuites may have temporary RSA keys if the public key in the
* server certificate is longer than the maximum export strength
*/
if ((alg_k & SSL_kRSA) && SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
EVP_PKEY *pkey;
pkey = X509_get_pubkey(s->session->peer);
if (pkey == NULL)
return -1;
/*
* If the public key in the certificate is shorter than or equal to the
* maximum export strength then a temporary RSA key is not allowed
*/
if (EVP_PKEY_bits(pkey)
<= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
return 0;
EVP_PKEY_free(pkey);
return 1;
}
return 0;
}
@ -1622,10 +1598,6 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
save_param_start = *pkt;
#ifndef OPENSSL_NO_RSA
RSA_free(s->s3->peer_rsa_tmp);
s->s3->peer_rsa_tmp = NULL;
#endif
#ifndef OPENSSL_NO_DH
DH_free(s->s3->peer_dh_tmp);
s->s3->peer_dh_tmp = NULL;
@ -1709,51 +1681,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
/* We must check if there is a certificate */
if (alg_a & (SSL_aRSA|SSL_aDSS))
pkey = X509_get_pubkey(s->session->peer);
} else
#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_RSA
if (alg_k & SSL_kRSA) {
PACKET mod, exp;
/* Temporary RSA keys only allowed in export ciphersuites */
if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
if (!PACKET_get_length_prefixed_2(pkt, &mod)
|| !PACKET_get_length_prefixed_2(pkt, &exp)) {
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
if ((rsa = RSA_new()) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((rsa->n = BN_bin2bn(PACKET_data(&mod), PACKET_remaining(&mod),
rsa->n)) == NULL
|| (rsa->e = BN_bin2bn(PACKET_data(&exp), PACKET_remaining(&exp),
rsa->e)) == NULL) {
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_BN_LIB);
goto err;
}
/* this should be because we are using an export cipher */
if (alg_a & SSL_aRSA)
pkey = X509_get_pubkey(s->session->peer);
else {
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
s->s3->peer_rsa_tmp = rsa;
rsa = NULL;
}
#else /* OPENSSL_NO_RSA */
if (0) ;
#endif
#endif /* !OPENSSL_NO_SRP */
#ifndef OPENSSL_NO_DH
else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
PACKET prime, generator, pub_key;
@ -1850,14 +1779,6 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
group = EC_KEY_get0_group(ecdh);
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
(EC_GROUP_get_degree(group) > 163)) {
al = SSL_AD_EXPORT_RESTRICTION;
SSLerr(SSL_F_TLS_PROCESS_KEY_EXCHANGE,
SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
goto f_err;
}
/* Next, get the encoded ECPoint */
if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
((bn_ctx = BN_CTX_new()) == NULL)) {
@ -2445,20 +2366,16 @@ psk_err:
goto err;
}
if (s->s3->peer_rsa_tmp != NULL)
rsa = s->s3->peer_rsa_tmp;
else {
pkey = X509_get_pubkey(s->session->peer);
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(pkey);
goto err;
}
rsa = pkey->pkey.rsa;
pkey = X509_get_pubkey(s->session->peer);
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA)
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
EVP_PKEY_free(pkey);
goto err;
}
rsa = pkey->pkey.rsa;
EVP_PKEY_free(pkey);
pms[0] = s->client_version >> 8;
pms[1] = s->client_version & 0xff;
@ -3178,10 +3095,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
int i, idx;
long alg_k, alg_a;
EVP_PKEY *pkey = NULL;
int pkey_bits;
#ifndef OPENSSL_NO_RSA
RSA *rsa;
#endif
#ifndef OPENSSL_NO_DH
DH *dh;
#endif
@ -3193,9 +3106,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* we don't have a certificate */
if ((alg_a & SSL_aNULL) || (alg_k & SSL_kPSK))
return (1);
#ifndef OPENSSL_NO_RSA
rsa = s->s3->peer_rsa_tmp;
#endif
#ifndef OPENSSL_NO_DH
dh = s->s3->peer_dh_tmp;
#endif
@ -3222,7 +3132,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
pkey = X509_get_pubkey(s->session->peer);
pkey_bits = EVP_PKEY_bits(pkey);
i = X509_certificate_type(s->session->peer, pkey);
EVP_PKEY_free(pkey);
@ -3240,27 +3149,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
#ifndef OPENSSL_NO_RSA
if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
} else if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) {
if (pkey_bits <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
if (!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
}
if (rsa != NULL) {
/* server key exchange is not allowed. */
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
goto f_err;
}
}
}
if (alg_k & (SSL_kRSA | SSL_kRSAPSK) &&
!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_RSA_ENCRYPTING_CERT);
goto f_err;
}
#endif
#ifndef OPENSSL_NO_DH
@ -3284,48 +3177,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
# endif
#endif
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
#ifndef OPENSSL_NO_RSA
if (alg_k & SSL_kRSA) {
if (rsa == NULL) {
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
} else if (RSA_bits(rsa) >
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
/* We have a temporary RSA key but it's too large. */
al = SSL_AD_EXPORT_RESTRICTION;
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
}
} else
#endif
#ifndef OPENSSL_NO_DH
if (alg_k & SSL_kDHE) {
if (DH_bits(dh) >
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) {
/* We have a temporary DH key but it's too large. */
al = SSL_AD_EXPORT_RESTRICTION;
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
}
} else if (alg_k & (SSL_kDHr | SSL_kDHd)) {
/* The cert should have had an export DH key. */
al = SSL_AD_EXPORT_RESTRICTION;
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
} else
#endif
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err;
}
}
return (1);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);

87
ssl/statem/statem_srvr.c
View File

@ -315,7 +315,7 @@ static int send_server_key_exchange(SSL *s)
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/*
* only send a ServerKeyExchange if DH, fortezza or RSA but we have a
* only send a ServerKeyExchange if DH or fortezza but we have a
* sign only certificate PSK: may send PSK identity hints For
* ECC ciphersuites, we send a serverKeyExchange message only if
* the cipher suite is either ECDH-anon or ECDHE. In other cases,
@ -324,15 +324,6 @@ static int send_server_key_exchange(SSL *s)
*/
if ( (alg_k & SSL_kDHE)
|| (alg_k & SSL_kECDHE)
|| ((alg_k & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
&& EVP_PKEY_size(s->cert->pkeys
[SSL_PKEY_RSA_ENC].privatekey) *
8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
)
)
)
/*
* PSK: send ServerKeyExchange if PSK identity hint if
* provided
@ -1723,9 +1714,6 @@ int tls_construct_server_done(SSL *s)
int tls_construct_server_key_exchange(SSL *s)
{
#ifndef OPENSSL_NO_RSA
RSA *rsa;
#endif
#ifndef OPENSSL_NO_DH
DH *dh = NULL, *dhp;
#endif
@ -1769,35 +1757,6 @@ int tls_construct_server_key_exchange(SSL *s)
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
#endif /* !OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_RSA
if (type & SSL_kRSA) {
rsa = cert->rsa_tmp;
if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
rsa = s->cert->rsa_tmp_cb(s,
SSL_C_IS_EXPORT(s->s3->
tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->
tmp.new_cipher));
if (rsa == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
goto f_err;
}
RSA_up_ref(rsa);
cert->rsa_tmp = rsa;
}
if (rsa == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_MISSING_TMP_RSA_KEY);
goto f_err;
}
r[0] = rsa->n;
r[1] = rsa->e;
s->s3->tmp.use_rsa_tmp = 1;
} else
#endif
#ifndef OPENSSL_NO_DH
if (type & (SSL_kDHE | SSL_kDHEPSK)) {
if (s->cert->dh_tmp_auto) {
@ -1811,11 +1770,7 @@ int tls_construct_server_key_exchange(SSL *s)
} else
dhp = cert->dh_tmp;
if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
dhp = s->cert->dh_tmp_cb(s,
SSL_C_IS_EXPORT(s->s3->
tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->
tmp.new_cipher));
dhp = s->cert->dh_tmp_cb(s, 0, 1024);
if (dhp == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
@ -1903,13 +1858,6 @@ int tls_construct_server_key_exchange(SSL *s)
goto err;
}
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
(EC_GROUP_get_degree(group) > 163)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
goto err;
}
/*
* XXX: For now, we only support ephemeral ECDH keys over named
* (not generic) curves. For supported named curves, curve_id is
@ -2316,30 +2264,15 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
size_t j;
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp) {
if ((s->cert != NULL) && (s->cert->rsa_tmp != NULL))
rsa = s->cert->rsa_tmp;
/*
* Don't do a callback because rsa_tmp should be sent already
*/
if (rsa == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_MISSING_TMP_RSA_PKEY);
goto f_err;
}
} else {
pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
if ((pkey == NULL) ||
(pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_MISSING_RSA_CERTIFICATE);
goto f_err;
}
rsa = pkey->pkey.rsa;
pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
if ((pkey == NULL) ||
(pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
SSL_R_MISSING_RSA_CERTIFICATE);
goto f_err;
}
rsa = pkey->pkey.rsa;
/* SSLv3 and pre-standard DTLS omit the length bytes. */
if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {

42
ssl/t1_enc.c
View File

@ -294,15 +294,12 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
int tls1_change_cipher_state(SSL *s, int which)
{
static const unsigned char empty[] = "";
unsigned char *p, *mac_secret;
unsigned char *exp_label;
unsigned char tmp1[EVP_MAX_KEY_LENGTH];
unsigned char tmp2[EVP_MAX_KEY_LENGTH];
unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
unsigned char *ms, *key, *iv;
int client_write;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
#ifndef OPENSSL_NO_COMP
@ -313,10 +310,9 @@ int tls1_change_cipher_state(SSL *s, int which)
int *mac_secret_size;
EVP_MD_CTX *mac_ctx;
EVP_PKEY *mac_key;
int is_export, n, i, j, k, exp_label_len, cl;
int n, i, j, k, cl;
int reuse_dd = 0;
is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c = s->s3->tmp.new_sym_enc;
m = s->s3->tmp.new_hash;
mac_type = s->s3->tmp.new_mac_pkey_type;
@ -413,8 +409,7 @@ int tls1_change_cipher_state(SSL *s, int which)
i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
cl = EVP_CIPHER_key_length(c);
j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
j = cl;
/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
/* If GCM/CCM mode only part of IV comes from PRF */
if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
@ -431,9 +426,6 @@ int tls1_change_cipher_state(SSL *s, int which)
n += j + j;
iv = &(p[n]);
n += k + k;
exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
client_write = 1;
} else {
n = i;
ms = &(p[n]);
@ -442,9 +434,6 @@ int tls1_change_cipher_state(SSL *s, int which)
n += j + k;
iv = &(p[n]);
n += k;
exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
client_write = 0;
}
if (n > s->s3->tmp.key_block_length) {
@ -473,33 +462,6 @@ int tls1_change_cipher_state(SSL *s, int which)
printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
}
#endif
if (is_export) {
/*
* In here I set both the read and write key/iv to the same value
* since only the correct one will be used :-).
*/
if (!tls1_PRF(s,
exp_label, exp_label_len,
s->s3->client_random, SSL3_RANDOM_SIZE,
s->s3->server_random, SSL3_RANDOM_SIZE,
NULL, 0, NULL, 0,
key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
goto err2;
key = tmp1;
if (k > 0) {
if (!tls1_PRF(s,
TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
s->s3->client_random, SSL3_RANDOM_SIZE,
s->s3->server_random, SSL3_RANDOM_SIZE,
NULL, 0, NULL, 0, empty, 0, iv1, iv2, k * 2))
goto err2;
if (client_write)
iv = iv1;
else
iv = &(iv1[k]);
}
}
if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))

44
test/ssltest.c
View File

@ -212,10 +212,6 @@
#define COMP_ZLIB 1
static int verify_callback(int ok, X509_STORE_CTX *ctx);
#ifndef OPENSSL_NO_RSA
static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
static void free_tmp_rsa(void);
#endif
static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
#define APP_CALLBACK_STRING "Test Callback Argument"
struct app_verify_arg {
@ -1483,10 +1479,6 @@ int main(int argc, char *argv[])
(void)no_ecdhe;
#endif
#ifndef OPENSSL_NO_RSA
SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
#endif
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
@ -1716,9 +1708,6 @@ int main(int argc, char *argv[])
BIO_free(bio_stdout);
#ifndef OPENSSL_NO_RSA
free_tmp_rsa();
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
@ -2834,39 +2823,6 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
return (ok);
}
#ifndef OPENSSL_NO_RSA
static RSA *rsa_tmp = NULL;
static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
{
BIGNUM *bn = NULL;
if (rsa_tmp == NULL) {
bn = BN_new();
rsa_tmp = RSA_new();
if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
BIO_printf(bio_err, "Memory error...");
goto end;
}
printf("Generating temp (%d bit) RSA key...", keylength);
if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
BIO_printf(bio_err, "Error generating key.");
RSA_free(rsa_tmp);
rsa_tmp = NULL;
}
end:
printf("\n");
}
BN_free(bn);
return (rsa_tmp);
}
static void free_tmp_rsa(void)
{
RSA_free(rsa_tmp);
rsa_tmp = NULL;
}
#endif
#ifndef OPENSSL_NO_DH
/*-
* These DH parameters have been generated as follows:

4
util/ssleay.num
View File

@ -157,7 +157,7 @@ BIO_new_ssl_connect 174 EXIST::FUNCTION:
SSL_get_ex_data_X509_STORE_CTX_idx 175 EXIST:!VMS:FUNCTION:
SSL_get_ex_d_X509_STORE_CTX_idx 175 EXIST:VMS:FUNCTION:
SSL_CTX_set_tmp_dh_callback 176 EXIST::FUNCTION:DH
SSL_CTX_set_tmp_rsa_callback 177 EXIST::FUNCTION:RSA
SSL_CTX_set_tmp_rsa_callback 177 NOEXIST::FUNCTION:
SSL_CTX_set_timeout 178 EXIST::FUNCTION:
SSL_CTX_get_timeout 179 EXIST::FUNCTION:
SSL_CTX_get_cert_store 180 EXIST::FUNCTION:
@ -167,7 +167,7 @@ SSL_library_init 183 EXIST::FUNCTION:
SSL_COMP_add_compression_method 184 EXIST::FUNCTION:
SSL_add_file_cert_subjects_to_stack 185 EXIST:!VMS:FUNCTION:
SSL_add_file_cert_subjs_to_stk 185 EXIST:VMS:FUNCTION:
SSL_set_tmp_rsa_callback 186 EXIST::FUNCTION:RSA
SSL_set_tmp_rsa_callback 186 NOEXIST::FUNCTION:
SSL_set_tmp_dh_callback 187 EXIST::FUNCTION:DH
SSL_add_dir_cert_subjects_to_stack 188 EXIST:!VMS:FUNCTION:
SSL_add_dir_cert_subjs_to_stk 188 EXIST:VMS:FUNCTION: