diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-25 13:27:39 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-05-25 13:27:39 +0000 |
| commit | 08712b17ba04e56b49a1fb3dc937a66db87984e9 (patch) | |
| tree | e6b8684acbb24cd1b838ab96920119da7fe83843 | |
| parent | 9b9a219661060dc66cbc93009a8c9ba11650c057 (diff) | |
The ssl_ciper_get_evp() function is currently overloaded to also return the
compression associated with the SSL session. Based on one of Adam Langley's
chromium diffs, factor out the compression handling code into a separate
ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so
that failures are actually returned to and detectable by the caller.
ok miod@
| -rw-r--r-- | lib/libssl/src/ssl/s3_enc.c | 15 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl.h | 1 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_ciph.c | 54 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_err.c | 1 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_locl.h | 4 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_txt.c | 4 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/t1_enc.c | 13 |
7 files changed, 58 insertions, 34 deletions
diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 5a45cec1c11..119e7ce1f45 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -387,18 +387,21 @@ ssl3_setup_key_block(SSL *s) if (s->s3->tmp.key_block_length != 0) return (1); - if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) { - SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + if (!ssl_cipher_get_comp(s->session, &comp)) { + SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, + SSL_R_CIPHER_COMPRESSION_UNAVAILABLE); + return (0); + } + + if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL)) { + SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } s->s3->tmp.new_sym_enc = c; s->s3->tmp.new_hash = hash; -#ifdef OPENSSL_NO_COMP - s->s3->tmp.new_compression = NULL; -#else s->s3->tmp.new_compression = comp; -#endif num = EVP_MD_size(hash); if (num < 0) diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index 9744d9783cd..6765e3560ae 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_CERT_LENGTH_MISMATCH 135 #define SSL_R_CHALLENGE_IS_DIFFERENT 136 #define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 +#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 #define SSL_R_CLIENTHELLO_TLSEXT 226 diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c index 4ae3312a1a0..bd939b7563c 100644 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ b/lib/libssl/src/ssl/ssl_ciph.c @@ -481,33 +481,45 @@ load_builtin_compressions(void) } #endif +/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given + * session and returns 1. On error it returns 0. */ int -ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp) +ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp) { + SSL_COMP ctmp; int i; - const SSL_CIPHER *c; - c = s->cipher; - if (c == NULL) - return (0); - if (comp != NULL) { - SSL_COMP ctmp; #ifndef OPENSSL_NO_COMP - load_builtin_compressions(); + load_builtin_compressions(); #endif - *comp = NULL; - ctmp.id = s->compress_meth; - if (ssl_comp_methods != NULL) { - i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); - if (i >= 0) - *comp = sk_SSL_COMP_value(ssl_comp_methods, i); - else - *comp = NULL; - } + *comp = NULL; + if (s->compress_meth == 0) + return 1; + if (ssl_comp_methods == NULL) + return 0; + + ctmp.id = s->compress_meth; + i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); + if (i >= 0) { + *comp = sk_SSL_COMP_value(ssl_comp_methods, i); + return 1; } + return 0; +} + +int +ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, + const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size) +{ + const SSL_CIPHER *c; + int i; + + c = s->cipher; + if (c == NULL) + return (0); + if ((enc == NULL) || (md == NULL)) return (0); @@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc |= SSL_eNULL; #endif - - *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0; *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0; *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0; @@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) SSL_COMP *ctmp; int i, nn; - if ((n == 0) - || (sk == NULL)) return (NULL); + if ((n == 0) || (sk == NULL)) + return (NULL); nn = sk_SSL_COMP_num(sk); for (i = 0; i < nn; i++) { ctmp = sk_SSL_COMP_value(sk, i); diff --git a/lib/libssl/src/ssl/ssl_err.c b/lib/libssl/src/ssl/ssl_err.c index 67ba3c76991..7bea7fafa1f 100644 --- a/lib/libssl/src/ssl/ssl_err.c +++ b/lib/libssl/src/ssl/ssl_err.c @@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"}, {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"}, {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"}, + {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"}, {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"}, {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"}, {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"}, diff --git a/lib/libssl/src/ssl/ssl_locl.h b/lib/libssl/src/ssl/ssl_locl.h index 3a4656ef622..06f37b69e65 100644 --- a/lib/libssl/src/ssl/ssl_locl.h +++ b/lib/libssl/src/ssl/ssl_locl.h @@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, const char *rule_str); void ssl_update_cache(SSL *s, int mode); +int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp); int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, - SSL_COMP **comp); + const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md); int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk); diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c index 01dd846596f..734e0c0755d 100644 --- a/lib/libssl/src/ssl/ssl_txt.c +++ b/lib/libssl/src/ssl/ssl_txt.c @@ -190,7 +190,9 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->compress_meth != 0) { SSL_COMP *comp = NULL; - ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp); + if (!ssl_cipher_get_comp(x, &comp)) + goto err; + if (comp == NULL) { if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0) goto err; diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index 25991220789..5f17a4a94a2 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s) int mac_type = NID_undef, mac_secret_size = 0; int ret = 0; - if (s->s3->tmp.key_block_length != 0) return (1); - if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + if (!ssl_cipher_get_comp(s->session, &comp)) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, + SSL_R_CIPHER_COMPRESSION_UNAVAILABLE); + return (0); + } + + if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, + &mac_secret_size)) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, + SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); } |