summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-04-14 15:37:03 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-04-14 15:37:03 +0000
commit406ba2a727d75ca5c4143db25cdd011be8bc782a (patch)
tree25041b3e1efe34afd13faaed003bb7e443e64ec9
parent258f85942e8b33009c2398069017f255c553d61d (diff)
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using tr and md5.
Diffstat
-rw-r--r--lib/libssl/src/ssl/s2_clnt.c1213
-rw-r--r--lib/libssl/src/ssl/s2_enc.c149
-rw-r--r--lib/libssl/src/ssl/s2_lib.c569
-rw-r--r--lib/libssl/src/ssl/s2_meth.c17
-rw-r--r--lib/libssl/src/ssl/s2_pkt.c742
-rw-r--r--lib/libssl/src/ssl/s2_srvr.c1264
6 files changed, 1909 insertions, 2045 deletions
diff --git a/lib/libssl/src/ssl/s2_clnt.c b/lib/libssl/src/ssl/s2_clnt.c
index 15fbef9c778..a1cfab6f2d5 100644
--- a/lib/libssl/src/ssl/s2_clnt.c
+++ b/lib/libssl/src/ssl/s2_clnt.c
@@ -121,152 +121,156 @@ static const SSL_METHOD *ssl2_get_client_method(int ver);
static int get_server_finished(SSL *s);
static int get_server_verify(SSL *s);
static int get_server_hello(SSL *s);
-static int client_hello(SSL *s);
+static int client_hello(SSL *s);
+
static int client_master_key(SSL *s);
static int client_finished(SSL *s);
static int client_certificate(SSL *s);
-static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
- unsigned char *to,int padding);
+static int
+ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
+unsigned char *to, int padding);
#define BREAK break
-static const SSL_METHOD *ssl2_get_client_method(int ver)
- {
+static const SSL_METHOD
+*ssl2_get_client_method(int ver)
+{
if (ver == SSL2_VERSION)
- return(SSLv2_client_method());
+ return (SSLv2_client_method());
else
- return(NULL);
- }
+ return (NULL);
+}
IMPLEMENT_ssl2_meth_func(SSLv2_client_method,
- ssl_undefined_function,
- ssl2_connect,
- ssl2_get_client_method)
-
-int ssl2_connect(SSL *s)
- {
- unsigned long l=(unsigned long)time(NULL);
- BUF_MEM *buf=NULL;
- int ret= -1;
- void (*cb)(const SSL *ssl,int type,int val)=NULL;
- int new_state,state;
-
- RAND_add(&l,sizeof(l),0);
+ ssl_undefined_function, ssl2_connect, ssl2_get_client_method)
+
+int
+ssl2_connect(SSL *s)
+{
+ unsigned long l = (unsigned long)time(NULL);
+ BUF_MEM *buf = NULL;
+ int ret = -1;
+ void (*cb)(const SSL *ssl, int type, int val) = NULL;
+ int new_state, state;
+
+ RAND_add(&l, sizeof(l), 0);
ERR_clear_error();
errno = 0;
if (s->info_callback != NULL)
- cb=s->info_callback;
+ cb = s->info_callback;
else if (s->ctx->info_callback != NULL)
- cb=s->ctx->info_callback;
+ cb = s->ctx->info_callback;
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s))
+ SSL_clear(s);
- for (;;)
- {
- state=s->state;
+ for (;;) {
+ state = s->state;
- switch (s->state)
- {
+ switch (s->state) {
case SSL_ST_BEFORE:
case SSL_ST_CONNECT:
case SSL_ST_BEFORE|SSL_ST_CONNECT:
case SSL_ST_OK|SSL_ST_CONNECT:
- s->server=0;
- if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+ s->server = 0;
+ if (cb != NULL)
+ cb(s, SSL_CB_HANDSHAKE_START, 1);
- s->version=SSL2_VERSION;
- s->type=SSL_ST_CONNECT;
+ s->version = SSL2_VERSION;
+ s->type = SSL_ST_CONNECT;
- buf=s->init_buf;
- if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
- {
- ret= -1;
+ buf = s->init_buf;
+ if ((buf == NULL) && ((buf = BUF_MEM_new()) == NULL)) {
+ ret = -1;
goto end;
- }
+ }
if (!BUF_MEM_grow(buf,
- SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
- {
+ SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
if (buf == s->init_buf)
- buf=NULL;
- ret= -1;
+ buf = NULL;
+ ret = -1;
goto end;
- }
- s->init_buf=buf;
- buf=NULL;
- s->init_num=0;
- s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
+ }
+ s->init_buf = buf;
+ buf = NULL;
+ s->init_num = 0;
+ s->state = SSL2_ST_SEND_CLIENT_HELLO_A;
s->ctx->stats.sess_connect++;
- s->handshake_func=ssl2_connect;
+ s->handshake_func = ssl2_connect;
BREAK;
case SSL2_ST_SEND_CLIENT_HELLO_A:
case SSL2_ST_SEND_CLIENT_HELLO_B:
- s->shutdown=0;
- ret=client_hello(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_GET_SERVER_HELLO_A;
+ s->shutdown = 0;
+ ret = client_hello(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_GET_SERVER_HELLO_A;
BREAK;
-
+
case SSL2_ST_GET_SERVER_HELLO_A:
case SSL2_ST_GET_SERVER_HELLO_B:
- ret=get_server_hello(s);
- if (ret <= 0) goto end;
- s->init_num=0;
+ ret = get_server_hello(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
if (!s->hit) /* new session */
- {
- s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_A;
- BREAK;
- }
- else
- {
- s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
+ {
+ s->state = SSL2_ST_SEND_CLIENT_MASTER_KEY_A;
+ BREAK;
+
+ } else {
+ s->state = SSL2_ST_CLIENT_START_ENCRYPTION;
break;
- }
-
+ }
+
case SSL2_ST_SEND_CLIENT_MASTER_KEY_A:
case SSL2_ST_SEND_CLIENT_MASTER_KEY_B:
- ret=client_master_key(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_CLIENT_START_ENCRYPTION;
+ ret = client_master_key(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_CLIENT_START_ENCRYPTION;
break;
case SSL2_ST_CLIENT_START_ENCRYPTION:
/* Ok, we now have all the stuff needed to
* start encrypting, so lets fire it up :-) */
- if (!ssl2_enc_init(s,1))
- {
- ret= -1;
+ if (!ssl2_enc_init(s, 1)) {
+ ret = -1;
goto end;
- }
- s->s2->clear_text=0;
- s->state=SSL2_ST_SEND_CLIENT_FINISHED_A;
+ }
+ s->s2->clear_text = 0;
+ s->state = SSL2_ST_SEND_CLIENT_FINISHED_A;
break;
case SSL2_ST_SEND_CLIENT_FINISHED_A:
case SSL2_ST_SEND_CLIENT_FINISHED_B:
- ret=client_finished(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_GET_SERVER_VERIFY_A;
+ ret = client_finished(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_GET_SERVER_VERIFY_A;
break;
case SSL2_ST_GET_SERVER_VERIFY_A:
case SSL2_ST_GET_SERVER_VERIFY_B:
- ret=get_server_verify(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_GET_SERVER_FINISHED_A;
+ ret = get_server_verify(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_GET_SERVER_FINISHED_A;
break;
case SSL2_ST_GET_SERVER_FINISHED_A:
case SSL2_ST_GET_SERVER_FINISHED_B:
- ret=get_server_finished(s);
- if (ret <= 0) goto end;
+ ret = get_server_finished(s);
+ if (ret <= 0)
+ goto end;
break;
case SSL2_ST_SEND_CLIENT_CERTIFICATE_A:
@@ -274,20 +278,20 @@ int ssl2_connect(SSL *s)
case SSL2_ST_SEND_CLIENT_CERTIFICATE_C:
case SSL2_ST_SEND_CLIENT_CERTIFICATE_D:
case SSL2_ST_X509_GET_CLIENT_CERTIFICATE:
- ret=client_certificate(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_GET_SERVER_FINISHED_A;
+ ret = client_certificate(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_GET_SERVER_FINISHED_A;
break;
case SSL_ST_OK:
- if (s->init_buf != NULL)
- {
+ if (s->init_buf != NULL) {
BUF_MEM_free(s->init_buf);
- s->init_buf=NULL;
- }
- s->init_num=0;
- /* ERR_clear_error();*/
+ s->init_buf = NULL;
+ }
+ s->init_num = 0;
+ /* ERR_clear_error();*/
/* If we want to cache session-ids in the client
* and we successfully add the session-id to the
@@ -295,133 +299,129 @@ int ssl2_connect(SSL *s)
* 26/11/96 - eay - only add if not a re-used session.
*/
- ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
- if (s->hit) s->ctx->stats.sess_hit++;
+ ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
+ if (s->hit)
+ s->ctx->stats.sess_hit++;
- ret=1;
+ ret = 1;
/* s->server=0; */
s->ctx->stats.sess_connect_good++;
- if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+ if (cb != NULL)
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
goto end;
/* break; */
default:
- SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE);
- return(-1);
+ SSLerr(SSL_F_SSL2_CONNECT, SSL_R_UNKNOWN_STATE);
+ return (-1);
/* break; */
- }
+ }
- if ((cb != NULL) && (s->state != state))
- {
- new_state=s->state;
- s->state=state;
- cb(s,SSL_CB_CONNECT_LOOP,1);
- s->state=new_state;
- }
+ if ((cb != NULL) && (s->state != state)) {
+ new_state = s->state;
+ s->state = state;
+ cb(s, SSL_CB_CONNECT_LOOP, 1);
+ s->state = new_state;
}
+ }
end:
s->in_handshake--;
if (buf != NULL)
BUF_MEM_free(buf);
- if (cb != NULL)
- cb(s,SSL_CB_CONNECT_EXIT,ret);
- return(ret);
- }
-
-static int get_server_hello(SSL *s)
- {
+ if (cb != NULL)
+ cb(s, SSL_CB_CONNECT_EXIT, ret);
+ return (ret);
+}
+
+static int
+get_server_hello(SSL *s)
+{
unsigned char *buf;
unsigned char *p;
- int i,j;
+ int i, j;
unsigned long len;
- STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
-
- buf=(unsigned char *)s->init_buf->data;
- p=buf;
- if (s->state == SSL2_ST_GET_SERVER_HELLO_A)
- {
- i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
- if (i < (11-s->init_num))
- return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+ STACK_OF(SSL_CIPHER) *sk = NULL, *cl, *prio, *allow;
+
+ buf = (unsigned char *)s->init_buf->data;
+ p = buf;
+ if (s->state == SSL2_ST_GET_SERVER_HELLO_A) {
+ i = ssl2_read(s,(char *)&(buf[s->init_num]), 11 - s->init_num);
+ if (i < (11 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_HELLO, i));
s->init_num = 11;
- if (*(p++) != SSL2_MT_SERVER_HELLO)
- {
- if (p[-1] != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ if (*(p++) != SSL2_MT_SERVER_HELLO) {
+ if (p[-1] != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO,
- SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
+ SSL_R_READ_WRONG_PACKET_TYPE);
+ } else
SSLerr(SSL_F_GET_SERVER_HELLO,
- SSL_R_PEER_ERROR);
- return(-1);
- }
+ SSL_R_PEER_ERROR);
+ return (-1);
+ }
#if 0
- s->hit=(*(p++))?1:0;
+ s->hit = (*(p++)) ? 1 : 0;
/* Some [PPC?] compilers fail to increment p in above
statement, e.g. one provided with Rhapsody 5.5, but
most recent example XL C 11.1 for AIX, even without
optimization flag... */
#else
- s->hit=(*p)?1:0; p++;
+ s->hit = (*p) ? 1 : 0;
+ p++;
#endif
s->s2->tmp.cert_type= *(p++);
- n2s(p,i);
- if (i < s->version) s->version=i;
- n2s(p,i); s->s2->tmp.cert_length=i;
- n2s(p,i); s->s2->tmp.csl=i;
- n2s(p,i); s->s2->tmp.conn_id_length=i;
- s->state=SSL2_ST_GET_SERVER_HELLO_B;
- }
+ n2s(p, i);
+ if (i < s->version)
+ s->version = i;
+ n2s(p, i);
+ s->s2->tmp.cert_length = i;
+ n2s(p, i);
+ s->s2->tmp.csl = i;
+ n2s(p, i);
+ s->s2->tmp.conn_id_length = i;
+ s->state = SSL2_ST_GET_SERVER_HELLO_B;
+ }
/* SSL2_ST_GET_SERVER_HELLO_B */
len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length;
- if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- {
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG);
+ if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_MESSAGE_TOO_LONG);
return -1;
- }
+ }
j = (int)len - s->init_num;
- i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
- if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+ i = ssl2_read(s,(char *)&(buf[s->init_num]), j);
+ if (i != j)
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_HELLO, i));
if (s->msg_callback)
s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
/* things are looking good */
p = buf + 11;
- if (s->hit)
- {
- if (s->s2->tmp.cert_length != 0)
- {
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_LENGTH_NOT_ZERO);
- return(-1);
- }
- if (s->s2->tmp.cert_type != 0)
- {
+ if (s->hit) {
+ if (s->s2->tmp.cert_length != 0) {
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_REUSE_CERT_LENGTH_NOT_ZERO);
+ return (-1);
+ }
+ if (s->s2->tmp.cert_type != 0) {
if (!(s->options &
- SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG))
- {
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CERT_TYPE_NOT_ZERO);
- return(-1);
- }
- }
- if (s->s2->tmp.csl != 0)
- {
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_REUSE_CIPHER_LIST_NOT_ZERO);
- return(-1);
+ SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)) {
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_REUSE_CERT_TYPE_NOT_ZERO);
+ return (-1);
}
}
- else
- {
+ if (s->s2->tmp.csl != 0) {
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_REUSE_CIPHER_LIST_NOT_ZERO);
+ return (-1);
+ }
+ } else {
#ifdef undef
/* very bad */
- memset(s->session->session_id,0,
- SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES);
- s->session->session_id_length=0;
+ memset(s->session->session_id, 0,
+ SSL_MAX_SSL_SESSION_ID_LENGTH_IN_BYTES);
+ s->session->session_id_length = 0;
*/
#endif
@@ -429,372 +429,351 @@ static int get_server_hello(SSL *s)
* client session but others are already reusing it.
* If this was a new 'blank' session ID, the session-id
* length will still be 0 */
- if (s->session->session_id_length > 0)
- {
- if (!ssl_get_new_session(s,0))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
+ if (s->session->session_id_length > 0) {
+ if (!ssl_get_new_session(s, 0)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
}
+ }
- if (ssl2_set_certificate(s,s->s2->tmp.cert_type,
- s->s2->tmp.cert_length,p) <= 0)
- {
- ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
- return(-1);
- }
- p+=s->s2->tmp.cert_length;
+ if (ssl2_set_certificate(s, s->s2->tmp.cert_type,
+ s->s2->tmp.cert_length, p) <= 0) {
+ ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
+ return (-1);
+ }
+ p += s->s2->tmp.cert_length;
- if (s->s2->tmp.csl == 0)
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_LIST);
- return(-1);
- }
+ if (s->s2->tmp.csl == 0) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_NO_CIPHER_LIST);
+ return (-1);
+ }
/* We have just received a list of ciphers back from the
* server. We need to get the ones that match, then select
* the one we want the most :-). */
/* load the ciphers */
- sk=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.csl,
- &s->session->ciphers);
- p+=s->s2->tmp.csl;
- if (sk == NULL)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_HELLO,ERR_R_MALLOC_FAILURE);
- return(-1);
- }
+ sk = ssl_bytes_to_cipher_list(s, p, s->s2->tmp.csl,
+ &s->session->ciphers);
+ p += s->s2->tmp.csl;
+ if (sk == NULL) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
+ return (-1);
+ }
- (void)sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
+ (void)sk_SSL_CIPHER_set_cmp_func(sk, ssl_cipher_ptr_id_cmp);
/* get the array of ciphers we will accept */
- cl=SSL_get_ciphers(s);
- (void)sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp);
+ cl = SSL_get_ciphers(s);
+ (void)sk_SSL_CIPHER_set_cmp_func(cl, ssl_cipher_ptr_id_cmp);
/*
* If server preference flag set, choose the first
* (highest priority) cipher the server sends, otherwise
* client preference has priority.
*/
- if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
- {
- prio = sk;
- allow = cl;
- }
- else
- {
- prio = cl;
- allow = sk;
- }
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+ prio = sk;
+ allow = cl;
+ } else {
+ prio = cl;
+ allow = sk;
+ }
/* In theory we could have ciphers sent back that we
* don't want to use but that does not matter since we
* will check against the list we originally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
- for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
- {
+ for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
if (sk_SSL_CIPHER_find(allow,
- sk_SSL_CIPHER_value(prio,i)) >= 0)
+ sk_SSL_CIPHER_value(prio, i)) >= 0)
break;
- }
+ }
- if (i >= sk_SSL_CIPHER_num(prio))
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
- return(-1);
- }
- s->session->cipher=sk_SSL_CIPHER_value(prio,i);
+ if (i >= sk_SSL_CIPHER_num(prio)) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_NO_CIPHER_MATCH);
+ return (-1);
+ }
+ s->session->cipher = sk_SSL_CIPHER_value(prio, i);
if (s->session->peer != NULL) /* can't happen*/
- {
+ {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- return(-1);
- }
+ return (-1);
+ }
s->session->peer = s->session->sess_cert->peer_key->x509;
/* peer_key->x509 has been set by ssl2_set_certificate. */
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
- }
+ }
- if (s->session->sess_cert == NULL
- || s->session->peer != s->session->sess_cert->peer_key->x509)
- /* can't happen */
- {
+ if (s->session->sess_cert == NULL
+ || s->session->peer != s->session->sess_cert->peer_key->x509)
+ /* can't happen */
+ {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- return(-1);
- }
-
- s->s2->conn_id_length=s->s2->tmp.conn_id_length;
- if (s->s2->conn_id_length > sizeof s->s2->conn_id)
- {
+ return (-1);
+ }
+
+ s->s2->conn_id_length = s->s2->tmp.conn_id_length;
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_SSL2_CONNECTION_ID_TOO_LONG);
return -1;
- }
- memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
- return(1);
}
+ memcpy(s->s2->conn_id, p, s->s2->tmp.conn_id_length);
+ return (1);
+}
-static int client_hello(SSL *s)
- {
+static int
+client_hello(SSL *s)
+{
unsigned char *buf;
- unsigned char *p,*d;
+ unsigned char *p, *d;
/* CIPHER **cipher;*/
- int i,n,j;
+ int i, n, j;
- buf=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A)
- {
+ buf = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_SEND_CLIENT_HELLO_A) {
if ((s->session == NULL) ||
- (s->session->ssl_version != s->version))
- {
- if (!ssl_get_new_session(s,0))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
+ (s->session->ssl_version != s->version)) {
+ if (!ssl_get_new_session(s, 0)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
}
+ }
/* else use the pre-loaded session */
- p=buf; /* header */
- d=p+9; /* data section */
- *(p++)=SSL2_MT_CLIENT_HELLO; /* type */
- s2n(SSL2_VERSION,p); /* version */
- n=j=0;
-
- n=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),d,0);
- d+=n;
-
- if (n == 0)
- {
- SSLerr(SSL_F_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
- return(-1);
- }
+ p = buf;
+ /* header */
+ d = p + 9;
+ /* data section */
+ *(p++) = SSL2_MT_CLIENT_HELLO;
+ /* type */
+ s2n(SSL2_VERSION, p);
+ /* version */
+ n = j=0;
+
+ n = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), d, 0);
+ d += n;
+
+ if (n == 0) {
+ SSLerr(SSL_F_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
+ return (-1);
+ }
- s2n(n,p); /* cipher spec num bytes */
+ s2n(n, p);
+ /* cipher spec num bytes */
if ((s->session->session_id_length > 0) &&
- (s->session->session_id_length <=
- SSL2_MAX_SSL_SESSION_ID_LENGTH))
- {
- i=s->session->session_id_length;
- s2n(i,p); /* session id length */
- memcpy(d,s->session->session_id,(unsigned int)i);
- d+=i;
- }
- else
- {
- s2n(0,p);
- }
+ (s->session->session_id_length <=
+ SSL2_MAX_SSL_SESSION_ID_LENGTH)) {
+ i = s->session->session_id_length;
+ s2n(i, p);
+ /* session id length */
+ memcpy(d, s->session->session_id,(unsigned int)i);
+ d += i;
+ } else {
+ s2n(0, p);
+ }
- s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
- s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */
+ s->s2->challenge_length = SSL2_CHALLENGE_LENGTH;
+ s2n(SSL2_CHALLENGE_LENGTH, p);
+ /* challenge length */
/*challenge id data*/
- if (RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH) <= 0)
+ if (RAND_pseudo_bytes(s->s2->challenge, SSL2_CHALLENGE_LENGTH) <= 0)
return -1;
- memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
- d+=SSL2_CHALLENGE_LENGTH;
+ memcpy(d, s->s2->challenge, SSL2_CHALLENGE_LENGTH);
+ d += SSL2_CHALLENGE_LENGTH;
- s->state=SSL2_ST_SEND_CLIENT_HELLO_B;
- s->init_num=d-buf;
- s->init_off=0;
- }
- /* SSL2_ST_SEND_CLIENT_HELLO_B */
- return(ssl2_do_write(s));
+ s->state = SSL2_ST_SEND_CLIENT_HELLO_B;
+ s->init_num = d - buf;
+ s->init_off = 0;
}
+ /* SSL2_ST_SEND_CLIENT_HELLO_B */
+ return (ssl2_do_write(s));
+}
-static int client_master_key(SSL *s)
- {
+static int
+client_master_key(SSL *s)
+{
unsigned char *buf;
- unsigned char *p,*d;
- int clear,enc,karg,i;
+ unsigned char *p, *d;
+ int clear, enc, karg, i;
SSL_SESSION *sess;
const EVP_CIPHER *c;
const EVP_MD *md;
- buf=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)
- {
+ buf = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A) {
- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
- return(-1);
- }
- sess=s->session;
- p=buf;
- d=p+10;
+ if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+ return (-1);
+ }
+ sess = s->session;
+ p = buf;
+ d = p + 10;
*(p++)=SSL2_MT_CLIENT_MASTER_KEY;/* type */
- i=ssl_put_cipher_by_char(s,sess->cipher,p);
- p+=i;
+ i = ssl_put_cipher_by_char(s, sess->cipher, p);
+ p += i;
/* make key_arg data */
- i=EVP_CIPHER_iv_length(c);
- sess->key_arg_length=i;
- if (i > SSL_MAX_KEY_ARG_LENGTH)
- {
+ i = EVP_CIPHER_iv_length(c);
+ sess->key_arg_length = i;
+ if (i > SSL_MAX_KEY_ARG_LENGTH) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
- }
+ }
if (i > 0)
- if (RAND_pseudo_bytes(sess->key_arg,i) <= 0)
+ if (RAND_pseudo_bytes(sess->key_arg, i) <= 0)
return -1;
/* make a master key */
- i=EVP_CIPHER_key_length(c);
- sess->master_key_length=i;
- if (i > 0)
- {
- if (i > (int)sizeof(sess->master_key))
- {
+ i = EVP_CIPHER_key_length(c);
+ sess->master_key_length = i;
+ if (i > 0) {
+ if (i > (int)sizeof(sess->master_key)) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
- }
- if (RAND_bytes(sess->master_key,i) <= 0)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
}
+ if (RAND_bytes(sess->master_key, i) <= 0) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
+ }
+ }
if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
- enc=8;
+ enc = 8;
else if (SSL_C_IS_EXPORT(sess->cipher))
- enc=5;
+ enc = 5;
else
- enc=i;
+ enc = i;
- if ((int)i < enc)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_CIPHER_TABLE_SRC_ERROR);
- return(-1);
- }
- clear=i-enc;
- s2n(clear,p);
- memcpy(d,sess->master_key,(unsigned int)clear);
- d+=clear;
-
- enc=ssl_rsa_public_encrypt(sess->sess_cert,enc,
- &(sess->master_key[clear]),d,
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
- if (enc <= 0)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
- return(-1);
- }
+ if ((int)i < enc) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_CIPHER_TABLE_SRC_ERROR);
+ return (-1);
+ }
+ clear = i - enc;
+ s2n(clear, p);
+ memcpy(d, sess->master_key,(unsigned int)clear);
+ d += clear;
+
+ enc = ssl_rsa_public_encrypt(sess->sess_cert, enc,
+ &(sess->master_key[clear]), d,
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+ RSA_PKCS1_PADDING);
+ if (enc <= 0) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_PUBLIC_KEY_ENCRYPT_ERROR);
+ return (-1);
+ }
#ifdef PKCS1_CHECK
- if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++;
+ if (s->options & SSL_OP_PKCS1_CHECK_1)
+ d[1]++;
if (s->options & SSL_OP_PKCS1_CHECK_2)
sess->master_key[clear]++;
#endif
- s2n(enc,p);
- d+=enc;
- karg=sess->key_arg_length;
+ s2n(enc, p);
+ d += enc;
+ karg = sess->key_arg_length;
+
s2n(karg,p); /* key arg size */
- if (karg > (int)sizeof(sess->key_arg))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ if (karg > (int)sizeof(sess->key_arg)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
- }
- memcpy(d,sess->key_arg,(unsigned int)karg);
- d+=karg;
-
- s->state=SSL2_ST_SEND_CLIENT_MASTER_KEY_B;
- s->init_num=d-buf;
- s->init_off=0;
}
+ memcpy(d, sess->key_arg,(unsigned int)karg);
+ d += karg;
- /* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */
- return(ssl2_do_write(s));
+ s->state = SSL2_ST_SEND_CLIENT_MASTER_KEY_B;
+ s->init_num = d - buf;
+ s->init_off = 0;
}
-static int client_finished(SSL *s)
- {
+ /* SSL2_ST_SEND_CLIENT_MASTER_KEY_B */
+ return (ssl2_do_write(s));
+}
+
+static int
+client_finished(SSL *s)
+{
unsigned char *p;
- if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A)
- {
- p=(unsigned char *)s->init_buf->data;
- *(p++)=SSL2_MT_CLIENT_FINISHED;
- if (s->s2->conn_id_length > sizeof s->s2->conn_id)
- {
+ if (s->state == SSL2_ST_SEND_CLIENT_FINISHED_A) {
+ p = (unsigned char *)s->init_buf->data;
+ *(p++) = SSL2_MT_CLIENT_FINISHED;
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
- }
- memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
-
- s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
- s->init_num=s->s2->conn_id_length+1;
- s->init_off=0;
}
- return(ssl2_do_write(s));
+ memcpy(p, s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
+
+ s->state = SSL2_ST_SEND_CLIENT_FINISHED_B;
+ s->init_num = s->s2->conn_id_length + 1;
+ s->init_off = 0;
}
+ return (ssl2_do_write(s));
+}
/* read the data and then respond */
-static int client_certificate(SSL *s)
- {
+static int
+client_certificate(SSL *s)
+{
unsigned char *buf;
- unsigned char *p,*d;
+ unsigned char *p, *d;
int i;
unsigned int n;
int cert_ch_len;
unsigned char *cert_ch;
- buf=(unsigned char *)s->init_buf->data;
+ buf = (unsigned char *)s->init_buf->data;
/* We have a cert associated with the SSL, so attach it to
* the session if it does not have one */
- if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
- {
- i=ssl2_read(s,(char *)&(buf[s->init_num]),
- SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
- if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
- return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
+ if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) {
+ i = ssl2_read(s,(char *)&(buf[s->init_num]),
+ SSL2_MAX_CERT_CHALLENGE_LENGTH + 2 - s->init_num);
+ if (i < (SSL2_MIN_CERT_CHALLENGE_LENGTH + 2 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_CLIENT_CERTIFICATE, i));
s->init_num += i;
if (s->msg_callback)
s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */
/* type=buf[0]; */
/* type eq x509 */
- if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
- {
- ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
- SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE);
- return(-1);
- }
-
- if ((s->cert == NULL) ||
- (s->cert->key->x509 == NULL) ||
- (s->cert->key->privatekey == NULL))
- {
- s->state=SSL2_ST_X509_GET_CLIENT_CERTIFICATE;
- }
- else
- s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
+ if (buf[1] != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) {
+ ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
+ SSLerr(SSL_F_CLIENT_CERTIFICATE, SSL_R_BAD_AUTHENTICATION_TYPE);
+ return (-1);
}
+ if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
+ (s->cert->key->privatekey == NULL)) {
+ s->state = SSL2_ST_X509_GET_CLIENT_CERTIFICATE;
+ } else
+ s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
+ }
+
cert_ch = buf + 2;
cert_ch_len = s->init_num - 2;
- if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE)
- {
- X509 *x509=NULL;
- EVP_PKEY *pkey=NULL;
+ if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE) {
+ X509 *x509 = NULL;
+ EVP_PKEY *pkey = NULL;
/* If we get an error we need to
* ssl->rwstate=SSL_X509_LOOKUP;
@@ -802,326 +781,298 @@ static int client_certificate(SSL *s)
* We should then be retried when things are ok and we
* can get a cert or not */
- i=0;
- if (s->ctx->client_cert_cb != NULL)
- {
- i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
- }
+ i = 0;
+ if (s->ctx->client_cert_cb != NULL) {
+ i = s->ctx->client_cert_cb(s, &(x509), &(pkey));
+ }
- if (i < 0)
- {
- s->rwstate=SSL_X509_LOOKUP;
- return(-1);
- }
- s->rwstate=SSL_NOTHING;
+ if (i < 0) {
+ s->rwstate = SSL_X509_LOOKUP;
+ return (-1);
+ }
+ s->rwstate = SSL_NOTHING;
- if ((i == 1) && (pkey != NULL) && (x509 != NULL))
- {
- s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
- if ( !SSL_use_certificate(s,x509) ||
- !SSL_use_PrivateKey(s,pkey))
- {
- i=0;
- }
+ if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
+ s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
+ if (!SSL_use_certificate(s, x509) ||
+ !SSL_use_PrivateKey(s, pkey)) {
+ i = 0;
+ }
X509_free(x509);
EVP_PKEY_free(pkey);
- }
- else if (i == 1)
- {
- if (x509 != NULL) X509_free(x509);
- if (pkey != NULL) EVP_PKEY_free(pkey);
- SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
- i=0;
- }
+ } else if (i == 1) {
+ if (x509 != NULL)
+ X509_free(x509);
+ if (pkey != NULL)
+ EVP_PKEY_free(pkey);
+ SSLerr(SSL_F_CLIENT_CERTIFICATE, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+ i = 0;
+ }
- if (i == 0)
- {
+ if (i == 0) {
/* We have no client certificate to respond with
* so send the correct error message back */
- s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_B;
- p=buf;
- *(p++)=SSL2_MT_ERROR;
- s2n(SSL2_PE_NO_CERTIFICATE,p);
- s->init_off=0;
- s->init_num=3;
+ s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_B;
+ p = buf;
+ *(p++) = SSL2_MT_ERROR;
+ s2n(SSL2_PE_NO_CERTIFICATE, p);
+ s->init_off = 0;
+ s->init_num = 3;
/* Write is done at the end */
- }
}
+ }
- if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B)
- {
- return(ssl2_do_write(s));
- }
+ if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_B) {
+ return (ssl2_do_write(s));
+ }
- if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C)
- {
+ if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_C) {
EVP_MD_CTX ctx;
/* ok, now we calculate the checksum
* do it first so we can reuse buf :-) */
- p=buf;
+ p = buf;
EVP_MD_CTX_init(&ctx);
- EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL);
- EVP_SignUpdate(&ctx,s->s2->key_material,
- s->s2->key_material_length);
- EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
- i=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
+ EVP_SignInit_ex(&ctx, s->ctx->rsa_md5, NULL);
+ EVP_SignUpdate(&ctx, s->s2->key_material,
+ s->s2->key_material_length);
+ EVP_SignUpdate(&ctx, cert_ch,(unsigned int)cert_ch_len);
+ i = i2d_X509(s->session->sess_cert->peer_key->x509, &p);
/* Don't update the signature if it fails - FIXME: probably should handle this better */
- if(i > 0)
- EVP_SignUpdate(&ctx,buf,(unsigned int)i);
+ if (i > 0)
+ EVP_SignUpdate(&ctx, buf,(unsigned int)i);
- p=buf;
- d=p+6;
- *(p++)=SSL2_MT_CLIENT_CERTIFICATE;
- *(p++)=SSL2_CT_X509_CERTIFICATE;
- n=i2d_X509(s->cert->key->x509,&d);
- s2n(n,p);
+ p = buf;
+ d = p + 6;
+ *(p++) = SSL2_MT_CLIENT_CERTIFICATE;
+ *(p++) = SSL2_CT_X509_CERTIFICATE;
+ n = i2d_X509(s->cert->key->x509, &d);
+ s2n(n, p);
- if (!EVP_SignFinal(&ctx,d,&n,s->cert->key->privatekey))
- {
+ if (!EVP_SignFinal(&ctx, d, &n, s->cert->key->privatekey)) {
/* this is not good. If things have failed it
* means there so something wrong with the key.
* We will continue with a 0 length signature
*/
- }
+ }
EVP_MD_CTX_cleanup(&ctx);
- s2n(n,p);
- d+=n;
+ s2n(n, p);
+ d += n;
- s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_D;
- s->init_num=d-buf;
- s->init_off=0;
- }
- /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */
- return(ssl2_do_write(s));
+ s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_D;
+ s->init_num = d - buf;
+ s->init_off = 0;
}
+ /* if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_D) */
+ return (ssl2_do_write(s));
+}
-static int get_server_verify(SSL *s)
- {
+static int
+get_server_verify(SSL *s)
+{
unsigned char *p;
int i, n, len;
- p=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_GET_SERVER_VERIFY_A)
- {
- i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
- if (i < (1-s->init_num))
- return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+ p = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_GET_SERVER_VERIFY_A) {
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 1 - s->init_num);
+ if (i < (1 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i));
s->init_num += i;
- s->state= SSL2_ST_GET_SERVER_VERIFY_B;
- if (*p != SSL2_MT_SERVER_VERIFY)
- {
- if (p[0] != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ s->state = SSL2_ST_GET_SERVER_VERIFY_B;
+ if (*p != SSL2_MT_SERVER_VERIFY) {
+ if (p[0] != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_VERIFY,
- SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
- {
- SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR);
+ SSL_R_READ_WRONG_PACKET_TYPE);
+ } else {
+ SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_PEER_ERROR);
/* try to read the error message */
- i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
- return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
- }
- return(-1);
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 3 - s->init_num);
+ return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i);
}
+ return (-1);
}
-
- p=(unsigned char *)s->init_buf->data;
+ }
+
+ p = (unsigned char *)s->init_buf->data;
len = 1 + s->s2->challenge_length;
- n = len - s->init_num;
- i = ssl2_read(s,(char *)&(p[s->init_num]),n);
+ n = len - s->init_num;
+ i = ssl2_read(s,(char *)&(p[s->init_num]), n);
if (i < n)
- return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i));
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
p += 1;
- if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
- return(-1);
- }
- return(1);
+ if (CRYPTO_memcmp(p, s->s2->challenge, s->s2->challenge_length) != 0) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_VERIFY, SSL_R_CHALLENGE_IS_DIFFERENT);
+ return (-1);
}
+ return (1);
+}
-static int get_server_finished(SSL *s)
- {
+static int
+get_server_finished(SSL *s)
+{
unsigned char *buf;
unsigned char *p;
int i, n, len;
- buf=(unsigned char *)s->init_buf->data;
- p=buf;
- if (s->state == SSL2_ST_GET_SERVER_FINISHED_A)
- {
- i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num);
- if (i < (1-s->init_num))
- return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
+ buf = (unsigned char *)s->init_buf->data;
+ p = buf;
+ if (s->state == SSL2_ST_GET_SERVER_FINISHED_A) {
+ i = ssl2_read(s,(char *)&(buf[s->init_num]), 1 - s->init_num);
+ if (i < (1 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_FINISHED, i));
s->init_num += i;
- if (*p == SSL2_MT_REQUEST_CERTIFICATE)
- {
- s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
- return(1);
- }
- else if (*p != SSL2_MT_SERVER_FINISHED)
- {
- if (p[0] != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
- {
- SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
+ if (*p == SSL2_MT_REQUEST_CERTIFICATE) {
+ s->state = SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
+ return (1);
+ } else if (*p != SSL2_MT_SERVER_FINISHED) {
+ if (p[0] != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_FINISHED, SSL_R_READ_WRONG_PACKET_TYPE);
+ } else {
+ SSLerr(SSL_F_GET_SERVER_FINISHED, SSL_R_PEER_ERROR);
/* try to read the error message */
- i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
- return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
- }
- return(-1);
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 3 - s->init_num);
+ return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i);
}
- s->state=SSL2_ST_GET_SERVER_FINISHED_B;
+ return (-1);
}
+ s->state = SSL2_ST_GET_SERVER_FINISHED_B;
+ }
len = 1 + SSL2_SSL_SESSION_ID_LENGTH;
n = len - s->init_num;
i = ssl2_read(s,(char *)&(buf[s->init_num]), n);
if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
- return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
+ return (ssl2_part_read(s, SSL_F_GET_SERVER_FINISHED, i));
s->init_num += i;
if (s->msg_callback)
s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */
if (!s->hit) /* new session */
- {
+ {
/* new session-id */
/* Make sure we were not trying to re-use an old SSL_SESSION
* or bad things can happen */
/* ZZZZZZZZZZZZZ */
- s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
- memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
- }
- else
- {
- if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
- {
+ s->session->session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
+ memcpy(s->session->session_id, p + 1, SSL2_SSL_SESSION_ID_LENGTH);
+ } else {
+ if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) {
if ((s->session->session_id_length > sizeof s->session->session_id)
|| (0 != memcmp(buf + 1, s->session->session_id,
- (unsigned int)s->session->session_id_length)))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_SSL_SESSION_ID_IS_DIFFERENT);
- return(-1);
- }
+ (unsigned int)s->session->session_id_length))) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_FINISHED, SSL_R_SSL_SESSION_ID_IS_DIFFERENT);
+ return (-1);
}
}
- s->state = SSL_ST_OK;
- return(1);
}
+ s->state = SSL_ST_OK;
+ return (1);
+}
/* loads in the certificate from the server */
-int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data)
- {
- STACK_OF(X509) *sk=NULL;
- EVP_PKEY *pkey=NULL;
- SESS_CERT *sc=NULL;
+int
+ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data)
+{
+ STACK_OF(X509) *sk = NULL;
+ EVP_PKEY *pkey = NULL;
+ SESS_CERT *sc = NULL;
int i;
- X509 *x509=NULL;
- int ret=0;
-
- x509=d2i_X509(NULL,&data,(long)len);
- if (x509 == NULL)
- {
- SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_X509_LIB);
+ X509 *x509 = NULL;
+ int ret = 0;
+
+ x509 = d2i_X509(NULL, &data,(long)len);
+ if (x509 == NULL) {
+ SSLerr(SSL_F_SSL2_SET_CERTIFICATE, ERR_R_X509_LIB);
goto err;
- }
+ }
- if ((sk=sk_X509_new_null()) == NULL || !sk_X509_push(sk,x509))
- {
- SSLerr(SSL_F_SSL2_SET_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+ if ((sk = sk_X509_new_null()) == NULL || !sk_X509_push(sk, x509)) {
+ SSLerr(SSL_F_SSL2_SET_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto err;
- }
+ }
- i=ssl_verify_cert_chain(s,sk);
-
- if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0))
- {
- SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
+ i = ssl_verify_cert_chain(s, sk);
+
+ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) {
+ SSLerr(SSL_F_SSL2_SET_CERTIFICATE, SSL_R_CERTIFICATE_VERIFY_FAILED);
goto err;
- }
+ }
ERR_clear_error(); /* but we keep s->verify_result */
s->session->verify_result = s->verify_result;
/* server's cert for this session */
- sc=ssl_sess_cert_new();
- if (sc == NULL)
- {
- ret= -1;
+ sc = ssl_sess_cert_new();
+ if (sc == NULL) {
+ ret = -1;
goto err;
- }
- if (s->session->sess_cert) ssl_sess_cert_free(s->session->sess_cert);
- s->session->sess_cert=sc;
+ }
+ if (s->session->sess_cert)
+ ssl_sess_cert_free(s->session->sess_cert);
+ s->session->sess_cert = sc;
- sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509=x509;
- sc->peer_key= &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
+ sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509 = x509;
+ sc->peer_key = &(sc->peer_pkeys[SSL_PKEY_RSA_ENC]);
- pkey=X509_get_pubkey(x509);
- x509=NULL;
- if (pkey == NULL)
- {
- SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY);
+ pkey = X509_get_pubkey(x509);
+ x509 = NULL;
+ if (pkey == NULL) {
+ SSLerr(SSL_F_SSL2_SET_CERTIFICATE, SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY);
goto err;
- }
- if (pkey->type != EVP_PKEY_RSA)
- {
- SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_PUBLIC_KEY_NOT_RSA);
+ }
+ if (pkey->type != EVP_PKEY_RSA) {
+ SSLerr(SSL_F_SSL2_SET_CERTIFICATE, SSL_R_PUBLIC_KEY_NOT_RSA);
goto err;
- }
+ }
- if (!ssl_set_peer_cert_type(sc,SSL2_CT_X509_CERTIFICATE))
+ if (!ssl_set_peer_cert_type(sc, SSL2_CT_X509_CERTIFICATE))
goto err;
- ret=1;
+ ret = 1;
err:
sk_X509_free(sk);
X509_free(x509);
EVP_PKEY_free(pkey);
- return(ret);
- }
+ return (ret);
+}
-static int ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
- unsigned char *to, int padding)
- {
- EVP_PKEY *pkey=NULL;
- int i= -1;
+static int
+ssl_rsa_public_encrypt(SESS_CERT *sc, int len, unsigned char *from,
+ unsigned char *to, int padding)
+{
+ EVP_PKEY *pkey = NULL;
+ int i = -1;
if ((sc == NULL) || (sc->peer_key->x509 == NULL) ||
- ((pkey=X509_get_pubkey(sc->peer_key->x509)) == NULL))
- {
- SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_NO_PUBLICKEY);
- return(-1);
- }
- if (pkey->type != EVP_PKEY_RSA)
- {
- SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
+ ((pkey = X509_get_pubkey(sc->peer_key->x509)) == NULL)) {
+ SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, SSL_R_NO_PUBLICKEY);
+ return (-1);
+ }
+ if (pkey->type != EVP_PKEY_RSA) {
+ SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA);
goto end;
- }
+ }
/* we have the public key */
- i=RSA_public_encrypt(len,from,to,pkey->pkey.rsa,padding);
+ i = RSA_public_encrypt(len, from, to, pkey->pkey.rsa, padding);
if (i < 0)
- SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT,ERR_R_RSA_LIB);
+ SSLerr(SSL_F_SSL_RSA_PUBLIC_ENCRYPT, ERR_R_RSA_LIB);
end:
EVP_PKEY_free(pkey);
- return(i);
- }
+ return (i);
+}
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
diff --git a/lib/libssl/src/ssl/s2_enc.c b/lib/libssl/src/ssl/s2_enc.c
index ff3395f459e..8d2273f9ef9 100644
--- a/lib/libssl/src/ssl/s2_enc.c
+++ b/lib/libssl/src/ssl/s2_enc.c
@@ -60,134 +60,131 @@
#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
-int ssl2_enc_init(SSL *s, int client)
- {
+int
+ssl2_enc_init(SSL *s, int client)
+{
/* Max number of bytes needed */
- EVP_CIPHER_CTX *rs,*ws;
+ EVP_CIPHER_CTX *rs, *ws;
const EVP_CIPHER *c;
const EVP_MD *md;
int num;
- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
- return(0);
- }
- ssl_replace_hash(&s->read_hash,md);
- ssl_replace_hash(&s->write_hash,md);
-
- if ((s->enc_read_ctx == NULL) &&
- ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+ if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_SSL2_ENC_INIT, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+ return (0);
+ }
+ ssl_replace_hash(&s->read_hash, md);
+ ssl_replace_hash(&s->write_hash, md);
+
+ if ((s->enc_read_ctx == NULL) && ((s->enc_read_ctx =
+ (EVP_CIPHER_CTX *)OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
goto err;
/* make sure it's intialized in case the malloc for enc_write_ctx fails
* and we exit with an error */
- rs= s->enc_read_ctx;
+ rs = s->enc_read_ctx;
EVP_CIPHER_CTX_init(rs);
- if ((s->enc_write_ctx == NULL) &&
- ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+ if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx =
+ (EVP_CIPHER_CTX *)OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
goto err;
- ws= s->enc_write_ctx;
+ ws = s->enc_write_ctx;
EVP_CIPHER_CTX_init(ws);
- num=c->key_len;
- s->s2->key_material_length=num*2;
+ num = c->key_len;
+ s->s2->key_material_length = num*2;
OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
if (ssl2_generate_key_material(s) <= 0)
return 0;
OPENSSL_assert(c->iv_len <= (int)sizeof(s->session->key_arg));
- EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
- s->session->key_arg);
- EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
- s->session->key_arg);
- s->s2->read_key= &(s->s2->key_material[(client)?0:num]);
- s->s2->write_key= &(s->s2->key_material[(client)?num:0]);
- return(1);
+ EVP_EncryptInit_ex(ws, c, NULL, &(s->s2->key_material[(client) ? num : 0]),
+ s->session->key_arg);
+ EVP_DecryptInit_ex(rs, c, NULL, &(s->s2->key_material[(client) ? 0 : num]),
+ s->session->key_arg);
+ s->s2->read_key = &(s->s2->key_material[(client) ? 0 : num]);
+ s->s2->write_key = &(s->s2->key_material[(client) ? num : 0]);
+ return (1);
err:
- SSLerr(SSL_F_SSL2_ENC_INIT,ERR_R_MALLOC_FAILURE);
- return(0);
- }
+ SSLerr(SSL_F_SSL2_ENC_INIT, ERR_R_MALLOC_FAILURE);
+ return (0);
+}
/* read/writes from s->s2->mac_data using length for encrypt and
* decrypt. It sets s->s2->padding and s->[rw]length
* if we are encrypting */
-void ssl2_enc(SSL *s, int send)
- {
+void
+ssl2_enc(SSL *s, int send)
+{
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs;
- if (send)
- {
- ds=s->enc_write_ctx;
- l=s->s2->wlength;
- }
- else
- {
- ds=s->enc_read_ctx;
- l=s->s2->rlength;
- }
+ if (send) {
+ ds = s->enc_write_ctx;
+ l = s->s2->wlength;
+ } else {
+ ds = s->enc_read_ctx;
+ l = s->s2->rlength;
+ }
/* check for NULL cipher */
- if (ds == NULL) return;
+ if (ds == NULL)
+ return;
- bs=ds->cipher->block_size;
+ bs = ds->cipher->block_size;
/* This should be using (bs-1) and bs instead of 7 and 8, but
* what the hell. */
if (bs == 8)
- l=(l+7)/8*8;
+ l = (l + 7) / 8 * 8;
- EVP_Cipher(ds,s->s2->mac_data,s->s2->mac_data,l);
- }
+ EVP_Cipher(ds, s->s2->mac_data, s->s2->mac_data, l);
+}
-void ssl2_mac(SSL *s, unsigned char *md, int send)
- {
+void
+ssl2_mac(SSL *s, unsigned char *md, int send)
+{
EVP_MD_CTX c;
- unsigned char sequence[4],*p,*sec,*act;
+ unsigned char sequence[4], *p, *sec, *act;
unsigned long seq;
unsigned int len;
- if (send)
- {
- seq=s->s2->write_sequence;
- sec=s->s2->write_key;
- len=s->s2->wact_data_length;
- act=s->s2->wact_data;
- }
- else
- {
- seq=s->s2->read_sequence;
- sec=s->s2->read_key;
- len=s->s2->ract_data_length;
- act=s->s2->ract_data;
- }
-
- p= &(sequence[0]);
- l2n(seq,p);
+ if (send) {
+ seq = s->s2->write_sequence;
+ sec = s->s2->write_key;
+ len = s->s2->wact_data_length;
+ act = s->s2->wact_data;
+ } else {
+ seq = s->s2->read_sequence;
+ sec = s->s2->read_key;
+ len = s->s2->ract_data_length;
+ act = s->s2->ract_data;
+ }
+
+ p = &(sequence[0]);
+ l2n(seq, p);
/* There has to be a MAC algorithm. */
EVP_MD_CTX_init(&c);
EVP_MD_CTX_copy(&c, s->read_hash);
- EVP_DigestUpdate(&c,sec,
- EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
- EVP_DigestUpdate(&c,act,len);
+ EVP_DigestUpdate(&c, sec,
+ EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
+ EVP_DigestUpdate(&c, act, len);
+
/* the above line also does the pad data */
- EVP_DigestUpdate(&c,sequence,4);
- EVP_DigestFinal_ex(&c,md,NULL);
+ EVP_DigestUpdate(&c, sequence, 4);
+
+ EVP_DigestFinal_ex(&c, md, NULL);
EVP_MD_CTX_cleanup(&c);
- }
+}
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
diff --git a/lib/libssl/src/ssl/s2_lib.c b/lib/libssl/src/ssl/s2_lib.c
index 99146041091..d3764ebbe90 100644
--- a/lib/libssl/src/ssl/s2_lib.c
+++ b/lib/libssl/src/ssl/s2_lib.c
@@ -121,336 +121,355 @@ const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT;
#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
/* list of available SSLv2 ciphers (sorted by id) */
-OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
+OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
#if 0
/* NULL_WITH_MD5 v3 */
{
- 1,
- SSL2_TXT_NULL_WITH_MD5,
- SSL2_CK_NULL_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_eNULL,
- SSL_MD5,
- SSL_SSLV2,
- SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
- 0,
- 0,
- 0,
+ 1,
+ SSL2_TXT_NULL_WITH_MD5,
+ SSL2_CK_NULL_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_eNULL,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
+ 0,
+ 0,
+ 0,
},
#endif
/* RC4_128_WITH_MD5 */
{
- 1,
- SSL2_TXT_RC4_128_WITH_MD5,
- SSL2_CK_RC4_128_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
- 128,
- 128,
+ 1,
+ SSL2_TXT_RC4_128_WITH_MD5,
+ SSL2_CK_RC4_128_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_RC4,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
},
/* RC4_128_EXPORT40_WITH_MD5 */
{
- 1,
- SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
- SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV2,
- SSL_EXPORT|SSL_EXP40,
- SSL2_CF_5_BYTE_ENC,
- 40,
- 128,
+ 1,
+ SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
+ SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_RC4,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40,
+ SSL2_CF_5_BYTE_ENC,
+ 40,
+ 128,
},
/* RC2_128_CBC_WITH_MD5 */
{
- 1,
- SSL2_TXT_RC2_128_CBC_WITH_MD5,
- SSL2_CK_RC2_128_CBC_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
- 128,
- 128,
+ 1,
+ SSL2_TXT_RC2_128_CBC_WITH_MD5,
+ SSL2_CK_RC2_128_CBC_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_RC2,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
},
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
{
- 1,
- SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_SSLV2,
- SSL_EXPORT|SSL_EXP40,
- SSL2_CF_5_BYTE_ENC,
- 40,
- 128,
+ 1,
+ SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
+ SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_RC2,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40,
+ SSL2_CF_5_BYTE_ENC,
+ 40,
+ 128,
},
#ifndef OPENSSL_NO_IDEA
/* IDEA_128_CBC_WITH_MD5 */
{
- 1,
- SSL2_TXT_IDEA_128_CBC_WITH_MD5,
- SSL2_CK_IDEA_128_CBC_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_IDEA,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_MEDIUM,
- 0,
- 128,
- 128,
+ 1,
+ SSL2_TXT_IDEA_128_CBC_WITH_MD5,
+ SSL2_CK_IDEA_128_CBC_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_IDEA,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
},
#endif
/* DES_64_CBC_WITH_MD5 */
{
- 1,
- SSL2_TXT_DES_64_CBC_WITH_MD5,
- SSL2_CK_DES_64_CBC_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_DES,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_LOW,
- 0,
- 56,
- 56,
+ 1,
+ SSL2_TXT_DES_64_CBC_WITH_MD5,
+ SSL2_CK_DES_64_CBC_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_DES,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_LOW,
+ 0,
+ 56,
+ 56,
},
/* DES_192_EDE3_CBC_WITH_MD5 */
{
- 1,
- SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
- SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_3DES,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_HIGH,
- 0,
- 168,
- 168,
+ 1,
+ SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
+ SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_3DES,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 168,
+ 168,
},
#if 0
/* RC4_64_WITH_MD5 */
{
- 1,
- SSL2_TXT_RC4_64_WITH_MD5,
- SSL2_CK_RC4_64_WITH_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV2,
- SSL_NOT_EXP|SSL_LOW,
- SSL2_CF_8_BYTE_ENC,
- 64,
- 64,
+ 1,
+ SSL2_TXT_RC4_64_WITH_MD5,
+ SSL2_CK_RC4_64_WITH_MD5,
+ SSL_kRSA,
+ SSL_aRSA,
+ SSL_RC4,
+ SSL_MD5,
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_LOW,
+ SSL2_CF_8_BYTE_ENC,
+ 64,
+ 64,
},
#endif
#if 0
/* NULL SSLeay (testing) */
- {
- 0,
- SSL2_TXT_NULL,
- SSL2_CK_NULL,
- 0,
- 0,
- 0,
- 0,
- SSL_SSLV2,
- SSL_STRONG_NONE,
- 0,
- 0,
- 0,
+ {
+ 0,
+ SSL2_TXT_NULL,
+ SSL2_CK_NULL,
+ 0,
+ 0,
+ 0,
+ 0,
+ SSL_SSLV2,
+ SSL_STRONG_NONE,
+ 0,
+ 0,
+ 0,
},
#endif
/* end of list :-) */
- };
-
-long ssl2_default_timeout(void)
- {
- return(300);
- }
-
-int ssl2_num_ciphers(void)
- {
- return(SSL2_NUM_CIPHERS);
- }
-
-const SSL_CIPHER *ssl2_get_cipher(unsigned int u)
- {
+};
+
+long
+ssl2_default_timeout(void)
+{
+ return (300);
+}
+
+int
+ssl2_num_ciphers(void)
+{
+ return (SSL2_NUM_CIPHERS);
+}
+
+const SSL_CIPHER
+*ssl2_get_cipher(unsigned int u)
+{
if (u < SSL2_NUM_CIPHERS)
- return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u]));
+ return (&(ssl2_ciphers[SSL2_NUM_CIPHERS - 1 - u]));
else
- return(NULL);
- }
+ return (NULL);
+}
-int ssl2_pending(const SSL *s)
- {
+int
+ssl2_pending(const SSL *s)
+{
return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
- }
+}
-int ssl2_new(SSL *s)
- {
+int
+ssl2_new(SSL *s)
+{
SSL2_STATE *s2;
- if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
- memset(s2,0,sizeof *s2);
+ if ((s2 = OPENSSL_malloc(sizeof *s2)) == NULL)
+ goto err;
+ memset(s2, 0, sizeof *s2);
#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
# error "assertion failed"
#endif
- if ((s2->rbuf=OPENSSL_malloc(
- SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
+ if ((s2->rbuf = OPENSSL_malloc(
+ SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2)) == NULL)
+ goto err;
/* wbuf needs one byte more because when using two-byte headers,
* we leave the first byte unused in do_ssl_write (s2_pkt.c) */
- if ((s2->wbuf=OPENSSL_malloc(
- SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
- s->s2=s2;
+ if ((s2->wbuf = OPENSSL_malloc(
+ SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 3)) == NULL)
+ goto err;
+ s->s2 = s2;
ssl2_clear(s);
- return(1);
+ return (1);
err:
- if (s2 != NULL)
- {
- if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
- if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
+ if (s2 != NULL) {
+ if (s2->wbuf != NULL)
+ OPENSSL_free(s2->wbuf);
+ if (s2->rbuf != NULL)
+ OPENSSL_free(s2->rbuf);
OPENSSL_free(s2);
- }
- return(0);
}
+ return (0);
+}
-void ssl2_free(SSL *s)
- {
+void
+ssl2_free(SSL *s)
+{
SSL2_STATE *s2;
- if(s == NULL)
- return;
+ if (s == NULL)
+ return;
- s2=s->s2;
- if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
- if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
- OPENSSL_cleanse(s2,sizeof *s2);
+ s2 = s->s2;
+ if (s2->rbuf != NULL)
+ OPENSSL_free(s2->rbuf);
+ if (s2->wbuf != NULL)
+ OPENSSL_free(s2->wbuf);
+ OPENSSL_cleanse(s2, sizeof *s2);
OPENSSL_free(s2);
- s->s2=NULL;
- }
+ s->s2 = NULL;
+}
-void ssl2_clear(SSL *s)
- {
+void
+ssl2_clear(SSL *s)
+{
SSL2_STATE *s2;
- unsigned char *rbuf,*wbuf;
+ unsigned char *rbuf, *wbuf;
- s2=s->s2;
+ s2 = s->s2;
- rbuf=s2->rbuf;
- wbuf=s2->wbuf;
+ rbuf = s2->rbuf;
+ wbuf = s2->wbuf;
- memset(s2,0,sizeof *s2);
+ memset(s2, 0, sizeof *s2);
- s2->rbuf=rbuf;
- s2->wbuf=wbuf;
- s2->clear_text=1;
- s->packet=s2->rbuf;
- s->version=SSL2_VERSION;
- s->packet_length=0;
- }
+ s2->rbuf = rbuf;
+ s2->wbuf = wbuf;
+ s2->clear_text = 1;
+ s->packet = s2->rbuf;
+ s->version = SSL2_VERSION;
+ s->packet_length = 0;
+}
-long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
- {
- int ret=0;
+long
+ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
+{
+ int ret = 0;
- switch(cmd)
- {
+ switch (cmd) {
case SSL_CTRL_GET_SESSION_REUSED:
- ret=s->hit;
+ ret = s->hit;
break;
default:
break;
- }
- return(ret);
- }
-
-long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
- {
- return(0);
- }
-
-long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
- {
- return(0);
- }
-
-long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
- {
- return(0);
}
+ return (ret);
+}
+
+long
+ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
+{
+ return (0);
+}
+
+long
+ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
+{
+ return (0);
+}
+
+long
+ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
+{
+ return (0);
+}
/* This function needs to check if the ciphers required are actually
* available */
-const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
- {
+const SSL_CIPHER
+*ssl2_get_cipher_by_char(const unsigned char *p)
+{
SSL_CIPHER c;
const SSL_CIPHER *cp;
unsigned long id;
- id=0x02000000L|((unsigned long)p[0]<<16L)|
- ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
- c.id=id;
+ id = 0x02000000L|((unsigned long)p[0]<<16L)|
+ ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
+ c.id = id;
cp = OBJ_bsearch_ssl_cipher_id(&c, ssl2_ciphers, SSL2_NUM_CIPHERS);
if ((cp == NULL) || (cp->valid == 0))
return NULL;
else
return cp;
- }
+}
-int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
- {
+int
+ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+{
long l;
- if (p != NULL)
- {
- l=c->id;
- if ((l & 0xff000000) != 0x02000000) return(0);
- p[0]=((unsigned char)(l>>16L))&0xFF;
- p[1]=((unsigned char)(l>> 8L))&0xFF;
- p[2]=((unsigned char)(l ))&0xFF;
- }
- return(3);
+ if (p != NULL) {
+ l = c->id;
+ if ((l & 0xff000000) != 0x02000000)
+ return (0);
+ p[0] = ((unsigned char)(l >> 16L))&0xFF;
+ p[1] = ((unsigned char)(l >> 8L))&0xFF;
+ p[2] = ((unsigned char)(l ))&0xFF;
}
+ return (3);
+}
-int ssl2_generate_key_material(SSL *s)
- {
+int
+ssl2_generate_key_material(SSL *s)
+{
unsigned int i;
EVP_MD_CTX ctx;
unsigned char *km;
- unsigned char c='0';
+ unsigned char c = '0';
const EVP_MD *md5;
int md_size;
@@ -461,96 +480,94 @@ int ssl2_generate_key_material(SSL *s)
see SSLv2 docu */
#endif
EVP_MD_CTX_init(&ctx);
- km=s->s2->key_material;
-
- if (s->session->master_key_length < 0 ||
- s->session->master_key_length > (int)sizeof(s->session->master_key))
- {
- SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
- return 0;
- }
+ km = s->s2->key_material;
+
+ if (s->session->master_key_length < 0 ||
+ s->session->master_key_length > (int)sizeof(s->session->master_key)) {
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
md_size = EVP_MD_size(md5);
if (md_size < 0)
- return 0;
- for (i=0; i<s->s2->key_material_length; i += md_size)
- {
+ return 0;
+ for (i = 0; i < s->s2->key_material_length; i += md_size) {
if (((km - s->s2->key_material) + md_size) >
- (int)sizeof(s->s2->key_material))
- {
+ (int)sizeof(s->s2->key_material)) {
/* EVP_DigestFinal_ex() below would write beyond buffer */
SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
return 0;
- }
+ }
EVP_DigestInit_ex(&ctx, md5, NULL);
- OPENSSL_assert(s->session->master_key_length >= 0
- && s->session->master_key_length
- < (int)sizeof(s->session->master_key));
- EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- EVP_DigestUpdate(&ctx,&c,1);
+ OPENSSL_assert(s->session->master_key_length >= 0 &&
+ s->session->master_key_length <
+ (int)sizeof(s->session->master_key));
+ EVP_DigestUpdate(&ctx, s->session->master_key, s->session->master_key_length);
+ EVP_DigestUpdate(&ctx, &c, 1);
c++;
- EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length);
- EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length);
- EVP_DigestFinal_ex(&ctx,km,NULL);
+ EVP_DigestUpdate(&ctx, s->s2->challenge, s->s2->challenge_length);
+ EVP_DigestUpdate(&ctx, s->s2->conn_id, s->s2->conn_id_length);
+ EVP_DigestFinal_ex(&ctx, km, NULL);
km += md_size;
- }
+ }
EVP_MD_CTX_cleanup(&ctx);
return 1;
- }
+}
-void ssl2_return_error(SSL *s, int err)
- {
- if (!s->error)
- {
- s->error=3;
- s->error_code=err;
+void
+ssl2_return_error(SSL *s, int err)
+{
+ if (!s->error) {
+ s->error = 3;
+ s->error_code = err;
ssl2_write_error(s);
- }
}
+}
-void ssl2_write_error(SSL *s)
- {
+void
+ssl2_write_error(SSL *s)
+{
unsigned char buf[3];
- int i,error;
+ int i, error;
- buf[0]=SSL2_MT_ERROR;
- buf[1]=(s->error_code>>8)&0xff;
- buf[2]=(s->error_code)&0xff;
+ buf[0] = SSL2_MT_ERROR;
+ buf[1] = (s->error_code >> 8)&0xff;
+ buf[2] = (s->error_code)&0xff;
/* state=s->rwstate;*/
error=s->error; /* number of bytes left to write */
- s->error=0;
+ s->error = 0;
OPENSSL_assert(error >= 0 && error <= (int)sizeof(buf));
- i=ssl2_write(s,&(buf[3-error]),error);
+ i = ssl2_write(s, &(buf[3 - error]), error);
/* if (i == error) s->rwstate=state; */
if (i < 0)
- s->error=error;
- else
- {
- s->error=error-i;
+ s->error = error;
+ else {
+ s->error = error - i;
if (s->error == 0)
if (s->msg_callback)
s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */
- }
- }
-
-int ssl2_shutdown(SSL *s)
- {
- s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
- return(1);
}
+}
+
+int
+ssl2_shutdown(SSL *s)
+{
+ s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
+ return (1);
+}
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
diff --git a/lib/libssl/src/ssl/s2_meth.c b/lib/libssl/src/ssl/s2_meth.c
index f0e8ca593d4..ca08fc6e224 100644
--- a/lib/libssl/src/ssl/s2_meth.c
+++ b/lib/libssl/src/ssl/s2_meth.c
@@ -62,23 +62,22 @@
#include <openssl/objects.h>
static const SSL_METHOD *ssl2_get_method(int ver);
-static const SSL_METHOD *ssl2_get_method(int ver)
- {
+static const SSL_METHOD
+*ssl2_get_method(int ver)
+{
if (ver == SSL2_VERSION)
- return(SSLv2_method());
+ return (SSLv2_method());
else
- return(NULL);
- }
+ return (NULL);
+}
IMPLEMENT_ssl2_meth_func(SSLv2_method,
- ssl2_accept,
- ssl2_connect,
- ssl2_get_method)
+ ssl2_accept, ssl2_connect, ssl2_get_method)
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
diff --git a/lib/libssl/src/ssl/s2_pkt.c b/lib/libssl/src/ssl/s2_pkt.c
index 7efad40153b..3a92c81d655 100644
--- a/lib/libssl/src/ssl/s2_pkt.c
+++ b/lib/libssl/src/ssl/s2_pkt.c
@@ -114,7 +114,7 @@
#include <stdio.h>
#include <errno.h>
-static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
+static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend);
static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
static int ssl_mt_error(int n);
@@ -123,158 +123,145 @@ static int ssl_mt_error(int n);
/* SSL 2.0 imlementation for SSL_read/SSL_peek -
* This routine will return 0 to len bytes, decrypted etc if required.
*/
-static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
- {
+static int
+ssl2_read_internal(SSL *s, void *buf, int len, int peek)
+{
int n;
unsigned char mac[MAX_MAC_SIZE];
unsigned char *p;
int i;
int mac_size;
- ssl2_read_again:
- if (SSL_in_init(s) && !s->in_handshake)
- {
- n=s->handshake_func(s);
- if (n < 0) return(n);
- if (n == 0)
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE);
- return(-1);
- }
+ ssl2_read_again:
+ if (SSL_in_init(s) && !s->in_handshake) {
+ n = s->handshake_func(s);
+ if (n < 0)
+ return (n);
+ if (n == 0) {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_SSL_HANDSHAKE_FAILURE);
+ return (-1);
}
+ }
errno = 0;
- s->rwstate=SSL_NOTHING;
- if (len <= 0) return(len);
+ s->rwstate = SSL_NOTHING;
+ if (len <= 0)
+ return (len);
if (s->s2->ract_data_length != 0) /* read from buffer */
- {
+ {
if (len > s->s2->ract_data_length)
- n=s->s2->ract_data_length;
+ n = s->s2->ract_data_length;
else
- n=len;
+ n = len;
- memcpy(buf,s->s2->ract_data,(unsigned int)n);
- if (!peek)
- {
- s->s2->ract_data_length-=n;
- s->s2->ract_data+=n;
+ memcpy(buf, s->s2->ract_data,(unsigned int)n);
+ if (!peek) {
+ s->s2->ract_data_length -= n;
+ s->s2->ract_data += n;
if (s->s2->ract_data_length == 0)
- s->rstate=SSL_ST_READ_HEADER;
- }
-
- return(n);
+ s->rstate = SSL_ST_READ_HEADER;
}
+ return (n);
+ }
+
/* s->s2->ract_data_length == 0
*
* Fill the buffer, then goto ssl2_read_again.
*/
- if (s->rstate == SSL_ST_READ_HEADER)
- {
- if (s->first_packet)
- {
- n=read_n(s,5,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
+ if (s->rstate == SSL_ST_READ_HEADER) {
+ if (s->first_packet) {
+ n = read_n(s, 5, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2, 0);
if (n <= 0) return(n); /* error or non-blocking */
- s->first_packet=0;
- p=s->packet;
+ s->first_packet = 0;
+ p = s->packet;
if (!((p[0] & 0x80) && (
- (p[2] == SSL2_MT_CLIENT_HELLO) ||
- (p[2] == SSL2_MT_SERVER_HELLO))))
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET);
- return(-1);
- }
- }
- else
- {
- n=read_n(s,2,SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2,0);
- if (n <= 0) return(n); /* error or non-blocking */
+ (p[2] == SSL2_MT_CLIENT_HELLO) ||
+ (p[2] == SSL2_MT_SERVER_HELLO)))) {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_NON_SSLV2_INITIAL_PACKET);
+ return (-1);
}
+ } else {
+ n = read_n(s, 2, SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2, 0);
+ if (n <= 0)
+ return(n); /* error or non-blocking */
+ }
/* part read stuff */
- s->rstate=SSL_ST_READ_BODY;
- p=s->packet;
+ s->rstate = SSL_ST_READ_BODY;
+ p = s->packet;
/* Do header */
/*s->s2->padding=0;*/
- s->s2->escape=0;
- s->s2->rlength=(((unsigned int)p[0])<<8)|((unsigned int)p[1]);
+ s->s2->escape = 0;
+ s->s2->rlength = (((unsigned int)p[0]) << 8)|((unsigned int)p[1]);
if ((p[0] & TWO_BYTE_BIT)) /* Two byte header? */
- {
- s->s2->three_byte_header=0;
- s->s2->rlength&=TWO_BYTE_MASK;
- }
- else
- {
- s->s2->three_byte_header=1;
+ {
+ s->s2->three_byte_header = 0;
+ s->s2->rlength&=TWO_BYTE_MASK;
+
+ } else {
+ s->s2->three_byte_header = 1;
s->s2->rlength&=THREE_BYTE_MASK;
/* security >s2->escape */
- s->s2->escape=((p[0] & SEC_ESC_BIT))?1:0;
- }
+ s->s2->escape = ((p[0] & SEC_ESC_BIT)) ? 1 : 0;
}
+ }
- if (s->rstate == SSL_ST_READ_BODY)
- {
- n=s->s2->rlength+2+s->s2->three_byte_header;
- if (n > (int)s->packet_length)
- {
- n-=s->packet_length;
- i=read_n(s,(unsigned int)n,(unsigned int)n,1);
- if (i <= 0) return(i); /* ERROR */
- }
+ if (s->rstate == SSL_ST_READ_BODY) {
+ n = s->s2->rlength + 2 + s->s2->three_byte_header;
+ if (n > (int)s->packet_length) {
+ n -= s->packet_length;
+ i = read_n(s, (unsigned int)n, (unsigned int)n, 1);
+ if (i <= 0)
+ return(i); /* ERROR */
+ }
- p= &(s->packet[2]);
- s->rstate=SSL_ST_READ_HEADER;
+ p = &(s->packet[2]);
+ s->rstate = SSL_ST_READ_HEADER;
if (s->s2->three_byte_header)
s->s2->padding= *(p++);
- else s->s2->padding=0;
+ else s->s2->padding = 0;
/* Data portion */
- if (s->s2->clear_text)
- {
+ if (s->s2->clear_text) {
mac_size = 0;
- s->s2->mac_data=p;
- s->s2->ract_data=p;
- if (s->s2->padding)
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
- return(-1);
- }
+ s->s2->mac_data = p;
+ s->s2->ract_data = p;
+ if (s->s2->padding) {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_ILLEGAL_PADDING);
+ return (-1);
}
- else
- {
- mac_size=EVP_MD_CTX_size(s->read_hash);
+ } else {
+ mac_size = EVP_MD_CTX_size(s->read_hash);
if (mac_size < 0)
return -1;
OPENSSL_assert(mac_size <= MAX_MAC_SIZE);
- s->s2->mac_data=p;
- s->s2->ract_data= &p[mac_size];
- if (s->s2->padding + mac_size > s->s2->rlength)
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
- return(-1);
- }
+ s->s2->mac_data = p;
+ s->s2->ract_data = &p[mac_size];
+ if (s->s2->padding + mac_size > s->s2->rlength) {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_ILLEGAL_PADDING);
+ return (-1);
}
+ }
- s->s2->ract_data_length=s->s2->rlength;
+ s->s2->ract_data_length = s->s2->rlength;
/* added a check for length > max_size in case
* encryption was not turned on yet due to an error */
if ((!s->s2->clear_text) &&
- (s->s2->rlength >= (unsigned int)mac_size))
- {
- ssl2_enc(s,0);
- s->s2->ract_data_length-=mac_size;
- ssl2_mac(s,mac,0);
- s->s2->ract_data_length-=s->s2->padding;
- if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
- (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
- return(-1);
- }
+ (s->s2->rlength >= (unsigned int)mac_size)) {
+ ssl2_enc(s, 0);
+ s->s2->ract_data_length -= mac_size;
+ ssl2_mac(s, mac, 0);
+ s->s2->ract_data_length -= s->s2->padding;
+ if ((CRYPTO_memcmp(mac, s->s2->mac_data, mac_size) != 0) ||
+ (s->s2->rlength % EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_BAD_MAC_DECODE);
+ return (-1);
}
+ }
INC32(s->s2->read_sequence); /* expect next number */
/* s->s2->ract_data is now available for processing */
@@ -291,181 +278,166 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
* renegotiation can confuse things even more.] */
goto ssl2_read_again; /* This should really be
- * "return ssl2_read(s,buf,len)",
- * but that would allow for
- * denial-of-service attacks if a
- * C compiler is used that does not
+ * "return ssl2_read(s, buf, len)",
+ * but that would allow for
+ * denial - of - service attacks if a
+ * C compiler is used that does not
* recognize end-recursion. */
- }
- else
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE);
- return(-1);
- }
+ } else {
+ SSLerr(SSL_F_SSL2_READ_INTERNAL, SSL_R_BAD_STATE);
+ return (-1);
}
+}
-int ssl2_read(SSL *s, void *buf, int len)
- {
+int
+ssl2_read(SSL *s, void *buf, int len)
+{
return ssl2_read_internal(s, buf, len, 0);
- }
+}
-int ssl2_peek(SSL *s, void *buf, int len)
- {
+int
+ssl2_peek(SSL *s, void *buf, int len)
+{
return ssl2_read_internal(s, buf, len, 1);
- }
+}
-static int read_n(SSL *s, unsigned int n, unsigned int max,
- unsigned int extend)
- {
- int i,off,newb;
+static int
+read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend)
+{
+ int i, off, newb;
/* if there is stuff still in the buffer from a previous read,
* and there is more than we want, take some. */
- if (s->s2->rbuf_left >= (int)n)
- {
+ if (s->s2->rbuf_left >= (int)n) {
if (extend)
- s->packet_length+=n;
- else
- {
- s->packet= &(s->s2->rbuf[s->s2->rbuf_offs]);
- s->packet_length=n;
- }
- s->s2->rbuf_left-=n;
- s->s2->rbuf_offs+=n;
- return(n);
+ s->packet_length += n;
+ else {
+ s->packet = &(s->s2->rbuf[s->s2->rbuf_offs]);
+ s->packet_length = n;
}
+ s->s2->rbuf_left -= n;
+ s->s2->rbuf_offs += n;
+ return (n);
+ }
+
+ if (!s->read_ahead)
+ max = n;
+ if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2))
+ max = SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2;
- if (!s->read_ahead) max=n;
- if (max > (unsigned int)(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2))
- max=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2;
-
/* Else we want more than we have.
* First, if there is some left or we want to extend */
- off=0;
- if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend))
- {
- newb=s->s2->rbuf_left;
- if (extend)
- {
- off=s->packet_length;
+ off = 0;
+ if ((s->s2->rbuf_left != 0) || ((s->packet_length != 0) && extend)) {
+ newb = s->s2->rbuf_left;
+ if (extend) {
+ off = s->packet_length;
if (s->packet != s->s2->rbuf)
- memcpy(s->s2->rbuf,s->packet,
- (unsigned int)newb+off);
- }
- else if (s->s2->rbuf_offs != 0)
- {
- memcpy(s->s2->rbuf,&(s->s2->rbuf[s->s2->rbuf_offs]),
- (unsigned int)newb);
- s->s2->rbuf_offs=0;
- }
- s->s2->rbuf_left=0;
+ memcpy(s->s2->rbuf, s->packet,
+ (unsigned int)newb + off);
+ } else if (s->s2->rbuf_offs != 0) {
+ memcpy(s->s2->rbuf, &(s->s2->rbuf[s->s2->rbuf_offs]),
+ (unsigned int)newb);
+ s->s2->rbuf_offs = 0;
}
- else
- newb=0;
+ s->s2->rbuf_left = 0;
+ } else
+ newb = 0;
/* off is the offset to start writing too.
* r->s2->rbuf_offs is the 'unread data', now 0.
* newb is the number of new bytes so far
*/
- s->packet=s->s2->rbuf;
- while (newb < (int)n)
- {
+ s->packet = s->s2->rbuf;
+ while (newb < (int)n) {
errno = 0;
- if (s->rbio != NULL)
- {
- s->rwstate=SSL_READING;
- i=BIO_read(s->rbio,(char *)&(s->s2->rbuf[off+newb]),
- max-newb);
- }
- else
- {
- SSLerr(SSL_F_READ_N,SSL_R_READ_BIO_NOT_SET);
- i= -1;
- }
+ if (s->rbio != NULL) {
+ s->rwstate = SSL_READING;
+ i = BIO_read(s->rbio,(char *)&(s->s2->rbuf[off + newb]),
+ max - newb);
+ } else {
+ SSLerr(SSL_F_READ_N, SSL_R_READ_BIO_NOT_SET);
+ i = -1;
+ }
#ifdef PKT_DEBUG
- if (s->debug & 0x01) sleep(1);
+ if (s->debug & 0x01)
+ sleep(1);
#endif
- if (i <= 0)
- {
- s->s2->rbuf_left+=newb;
- return(i);
- }
- newb+=i;
+ if (i <= 0) {
+ s->s2->rbuf_left += newb;
+ return (i);
}
+ newb += i;
+ }
/* record unread data */
- if (newb > (int)n)
- {
- s->s2->rbuf_offs=n+off;
- s->s2->rbuf_left=newb-n;
- }
- else
- {
- s->s2->rbuf_offs=0;
- s->s2->rbuf_left=0;
- }
+ if (newb > (int)n) {
+ s->s2->rbuf_offs = n + off;
+ s->s2->rbuf_left = newb - n;
+ } else {
+ s->s2->rbuf_offs = 0;
+ s->s2->rbuf_left = 0;
+ }
if (extend)
- s->packet_length+=n;
+ s->packet_length += n;
else
- s->packet_length=n;
- s->rwstate=SSL_NOTHING;
- return(n);
- }
-
-int ssl2_write(SSL *s, const void *_buf, int len)
- {
- const unsigned char *buf=_buf;
- unsigned int n,tot;
+ s->packet_length = n;
+ s->rwstate = SSL_NOTHING;
+ return (n);
+}
+
+int
+ssl2_write(SSL *s, const void *_buf, int len)
+{
+ const unsigned char *buf = _buf;
+ unsigned int n, tot;
int i;
- if (SSL_in_init(s) && !s->in_handshake)
- {
- i=s->handshake_func(s);
- if (i < 0) return(i);
- if (i == 0)
- {
- SSLerr(SSL_F_SSL2_WRITE,SSL_R_SSL_HANDSHAKE_FAILURE);
- return(-1);
- }
+ if (SSL_in_init(s) && !s->in_handshake) {
+ i = s->handshake_func(s);
+ if (i < 0)
+ return (i);
+ if (i == 0) {
+ SSLerr(SSL_F_SSL2_WRITE, SSL_R_SSL_HANDSHAKE_FAILURE);
+ return (-1);
}
+ }
- if (s->error)
- {
+ if (s->error) {
ssl2_write_error(s);
if (s->error)
- return(-1);
- }
+ return (-1);
+ }
errno = 0;
- s->rwstate=SSL_NOTHING;
- if (len <= 0) return(len);
-
- tot=s->s2->wnum;
- s->s2->wnum=0;
-
- n=(len-tot);
- for (;;)
- {
- i=n_do_ssl_write(s,&(buf[tot]),n);
- if (i <= 0)
- {
- s->s2->wnum=tot;
- return(i);
- }
+ s->rwstate = SSL_NOTHING;
+ if (len <= 0)
+ return (len);
+
+ tot = s->s2->wnum;
+ s->s2->wnum = 0;
+
+ n = (len - tot);
+ for (;;) {
+ i = n_do_ssl_write(s, &(buf[tot]), n);
+ if (i <= 0) {
+ s->s2->wnum = tot;
+ return (i);
+ }
if ((i == (int)n) ||
- (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))
- {
- return(tot+i);
- }
-
- n-=i;
- tot+=i;
+ (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)) {
+ return (tot + i);
}
+
+ n -= i;
+ tot += i;
}
+}
-static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
- {
+static int
+write_pending(SSL *s, const unsigned char *buf, unsigned int len)
+{
int i;
/* s->s2->wpend_len != 0 MUST be true. */
@@ -473,122 +445,110 @@ static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
/* check that they have given us the same buffer to
* write */
if ((s->s2->wpend_tot > (int)len) ||
- ((s->s2->wpend_buf != buf) &&
- !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)))
- {
- SSLerr(SSL_F_WRITE_PENDING,SSL_R_BAD_WRITE_RETRY);
- return(-1);
- }
+ ((s->s2->wpend_buf != buf) &&
+ !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER))) {
+ SSLerr(SSL_F_WRITE_PENDING, SSL_R_BAD_WRITE_RETRY);
+ return (-1);
+ }
- for (;;)
- {
+ for (;;) {
errno = 0;
- if (s->wbio != NULL)
- {
- s->rwstate=SSL_WRITING;
- i=BIO_write(s->wbio,
- (char *)&(s->s2->write_ptr[s->s2->wpend_off]),
- (unsigned int)s->s2->wpend_len);
- }
- else
- {
- SSLerr(SSL_F_WRITE_PENDING,SSL_R_WRITE_BIO_NOT_SET);
- i= -1;
- }
+ if (s->wbio != NULL) {
+ s->rwstate = SSL_WRITING;
+ i = BIO_write(s->wbio,
+ (char *)&(s->s2->write_ptr[s->s2->wpend_off]),
+ (unsigned int)s->s2->wpend_len);
+ } else {
+ SSLerr(SSL_F_WRITE_PENDING, SSL_R_WRITE_BIO_NOT_SET);
+ i = -1;
+ }
#ifdef PKT_DEBUG
- if (s->debug & 0x01) sleep(1);
+ if (s->debug & 0x01)
+ sleep(1);
#endif
- if (i == s->s2->wpend_len)
- {
- s->s2->wpend_len=0;
- s->rwstate=SSL_NOTHING;
- return(s->s2->wpend_ret);
- }
- else if (i <= 0)
- return(i);
- s->s2->wpend_off+=i;
- s->s2->wpend_len-=i;
- }
+ if (i == s->s2->wpend_len) {
+ s->s2->wpend_len = 0;
+ s->rwstate = SSL_NOTHING;
+ return (s->s2->wpend_ret);
+ } else if (i <= 0)
+ return (i);
+ s->s2->wpend_off += i;
+ s->s2->wpend_len -= i;
}
+}
-static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
- {
- unsigned int j,k,olen,p,bs;
+static int
+n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
+{
+ unsigned int j, k, olen, p, bs;
int mac_size;
register unsigned char *pp;
- olen=len;
+ olen = len;
/* first check if there is data from an encryption waiting to
* be sent - it must be sent because the other end is waiting.
* This will happen with non-blocking IO. We print it and then
* return.
*/
- if (s->s2->wpend_len != 0) return(write_pending(s,buf,len));
+ if (s->s2->wpend_len != 0)
+ return (write_pending(s, buf, len));
/* set mac_size to mac size */
if (s->s2->clear_text)
- mac_size=0;
- else
- {
- mac_size=EVP_MD_CTX_size(s->write_hash);
+ mac_size = 0;
+ else {
+ mac_size = EVP_MD_CTX_size(s->write_hash);
if (mac_size < 0)
return -1;
- }
+ }
/* lets set the pad p */
- if (s->s2->clear_text)
- {
+ if (s->s2->clear_text) {
if (len > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
- len=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
- p=0;
- s->s2->three_byte_header=0;
+ len = SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
+ p = 0;
+ s->s2->three_byte_header = 0;
/* len=len; */
- }
- else
- {
- bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
- j=len+mac_size;
+ } else {
+ bs = EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
+ j = len + mac_size;
/* Two-byte headers allow for a larger record length than
* three-byte headers, but we can't use them if we need
* padding or if we have to set the escape bit. */
if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
- (!s->s2->escape))
- {
+ (!s->s2->escape)) {
if (j > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER)
- j=SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
+ j = SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER;
/* set k to the max number of bytes with 2
* byte header */
- k=j-(j%bs);
+ k = j - (j % bs);
/* how many data bytes? */
- len=k-mac_size;
- s->s2->three_byte_header=0;
- p=0;
- }
- else if ((bs <= 1) && (!s->s2->escape))
- {
+ len = k - mac_size;
+
+ s->s2->three_byte_header = 0;
+ p = 0;
+ } else if ((bs <= 1) && (!s->s2->escape)) {
/* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
- s->s2->three_byte_header=0;
- p=0;
- }
+ s->s2->three_byte_header = 0;
+ p = 0;
+ }
else /* we may have to use a 3 byte header */
- {
+ {
/* If s->s2->escape is not set, then
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
- p=(j%bs);
- p=(p == 0)?0:(bs-p);
- if (s->s2->escape)
- {
- s->s2->three_byte_header=1;
+ p = (j % bs);
+ p = (p == 0) ? 0 : (bs - p);
+ if (s->s2->escape) {
+ s->s2->three_byte_header = 1;
if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
- }
- else
- s->s2->three_byte_header=(p == 0)?0:1;
- }
+ j = SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
+ } else
+ s->s2->three_byte_header = (p == 0) ? 0 : 1;
}
+ }
/* Now
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
@@ -601,142 +561,136 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
* p is the number of padding bytes
* (if it is a two-byte header, then p == 0) */
- s->s2->wlength=len;
- s->s2->padding=p;
- s->s2->mac_data= &(s->s2->wbuf[3]);
- s->s2->wact_data= &(s->s2->wbuf[3+mac_size]);
+ s->s2->wlength = len;
+ s->s2->padding = p;
+ s->s2->mac_data = &(s->s2->wbuf[3]);
+ s->s2->wact_data = &(s->s2->wbuf[3 + mac_size]);
/* we copy the data into s->s2->wbuf */
- memcpy(s->s2->wact_data,buf,len);
+ memcpy(s->s2->wact_data, buf, len);
if (p)
- memset(&(s->s2->wact_data[len]),0,p); /* arbitrary padding */
+ memset(&(s->s2->wact_data[len]), 0, p); /* arbitrary padding */
- if (!s->s2->clear_text)
- {
- s->s2->wact_data_length=len+p;
- ssl2_mac(s,s->s2->mac_data,1);
- s->s2->wlength+=p+mac_size;
- ssl2_enc(s,1);
- }
+ if (!s->s2->clear_text) {
+ s->s2->wact_data_length = len + p;
+ ssl2_mac(s, s->s2->mac_data, 1);
+ s->s2->wlength += p + mac_size;
+ ssl2_enc(s, 1);
+ }
/* package up the header */
- s->s2->wpend_len=s->s2->wlength;
+ s->s2->wpend_len = s->s2->wlength;
if (s->s2->three_byte_header) /* 3 byte header */
- {
- pp=s->s2->mac_data;
- pp-=3;
- pp[0]=(s->s2->wlength>>8)&(THREE_BYTE_MASK>>8);
- if (s->s2->escape) pp[0]|=SEC_ESC_BIT;
- pp[1]=s->s2->wlength&0xff;
- pp[2]=s->s2->padding;
- s->s2->wpend_len+=3;
- }
- else
- {
- pp=s->s2->mac_data;
- pp-=2;
- pp[0]=((s->s2->wlength>>8)&(TWO_BYTE_MASK>>8))|TWO_BYTE_BIT;
- pp[1]=s->s2->wlength&0xff;
- s->s2->wpend_len+=2;
- }
- s->s2->write_ptr=pp;
-
+ {
+ pp = s->s2->mac_data;
+ pp -= 3;
+ pp[0] = (s->s2->wlength >> 8) & (THREE_BYTE_MASK >> 8);
+ if (s->s2->escape)
+ pp[0]|=SEC_ESC_BIT;
+ pp[1] = s->s2->wlength&0xff;
+ pp[2] = s->s2->padding;
+ s->s2->wpend_len += 3;
+ } else {
+ pp = s->s2->mac_data;
+ pp -= 2;
+ pp[0] = ((s->s2->wlength >> 8) & (TWO_BYTE_MASK >> 8)) | TWO_BYTE_BIT;
+ pp[1] = s->s2->wlength&0xff;
+ s->s2->wpend_len += 2;
+ }
+ s->s2->write_ptr = pp;
+
INC32(s->s2->write_sequence); /* expect next number */
/* lets try to actually write the data */
- s->s2->wpend_tot=olen;
- s->s2->wpend_buf=buf;
+ s->s2->wpend_tot = olen;
+ s->s2->wpend_buf = buf;
- s->s2->wpend_ret=len;
+ s->s2->wpend_ret = len;
- s->s2->wpend_off=0;
- return(write_pending(s,buf,olen));
- }
+ s->s2->wpend_off = 0;
+ return (write_pending(s, buf, olen));
+}
-int ssl2_part_read(SSL *s, unsigned long f, int i)
- {
+int
+ssl2_part_read(SSL *s, unsigned long f, int i)
+{
unsigned char *p;
int j;
- if (i < 0)
- {
+ if (i < 0) {
/* ssl2_return_error(s); */
/* for non-blocking io,
* this is not necessarily fatal */
- return(i);
- }
- else
- {
- s->init_num+=i;
+ return (i);
+ } else {
+ s->init_num += i;
/* Check for error. While there are recoverable errors,
* this function is not called when those must be expected;
* any error detected here is fatal. */
- if (s->init_num >= 3)
- {
- p=(unsigned char *)s->init_buf->data;
- if (p[0] == SSL2_MT_ERROR)
- {
- j=(p[1]<<8)|p[2];
- SSLerr((int)f,ssl_mt_error(j));
+ if (s->init_num >= 3) {
+ p = (unsigned char *)s->init_buf->data;
+ if (p[0] == SSL2_MT_ERROR) {
+ j = (p[1]<<8)|p[2];
+ SSLerr((int)f, ssl_mt_error(j));
s->init_num -= 3;
if (s->init_num > 0)
- memmove(p, p+3, s->init_num);
- }
+ memmove(p, p + 3, s->init_num);
}
+ }
/* If it's not an error message, we have some error anyway --
* the message was shorter than expected. This too is treated
* as fatal (at least if SSL_get_error is asked for its opinion). */
- return(0);
- }
+ return (0);
}
+}
-int ssl2_do_write(SSL *s)
- {
+int
+ssl2_do_write(SSL *s)
+{
int ret;
- ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
- if (ret == s->init_num)
- {
+ ret = ssl2_write(s, &s->init_buf->data[s->init_off], s->init_num);
+ if (ret == s->init_num) {
if (s->msg_callback)
s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
- return(1);
- }
- if (ret < 0)
- return(-1);
- s->init_off+=ret;
- s->init_num-=ret;
- return(0);
+ return (1);
}
-
-static int ssl_mt_error(int n)
- {
+ if (ret < 0)
+ return (-1);
+ s->init_off += ret;
+ s->init_num -= ret;
+ return (0);
+}
+
+static int
+ssl_mt_error(int n)
+{
int ret;
- switch (n)
- {
+ switch (n) {
case SSL2_PE_NO_CIPHER:
- ret=SSL_R_PEER_ERROR_NO_CIPHER;
+ ret = SSL_R_PEER_ERROR_NO_CIPHER;
break;
case SSL2_PE_NO_CERTIFICATE:
- ret=SSL_R_PEER_ERROR_NO_CERTIFICATE;
+ ret = SSL_R_PEER_ERROR_NO_CERTIFICATE;
break;
case SSL2_PE_BAD_CERTIFICATE:
- ret=SSL_R_PEER_ERROR_CERTIFICATE;
+ ret = SSL_R_PEER_ERROR_CERTIFICATE;
break;
case SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE:
- ret=SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
+ ret = SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE;
break;
default:
- ret=SSL_R_UNKNOWN_REMOTE_ERROR_TYPE;
+ ret = SSL_R_UNKNOWN_REMOTE_ERROR_TYPE;
break;
- }
- return(ret);
}
+ return (ret);
+}
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c
index cac405db7c7..aa63fe85ba9 100644
--- a/lib/libssl/src/ssl/s2_srvr.c
+++ b/lib/libssl/src/ssl/s2_srvr.c
@@ -120,174 +120,181 @@
static const SSL_METHOD *ssl2_get_server_method(int ver);
static int get_client_master_key(SSL *s);
static int get_client_hello(SSL *s);
-static int server_hello(SSL *s);
+static int server_hello(SSL *s);
+
static int get_client_finished(SSL *s);
static int server_verify(SSL *s);
static int server_finish(SSL *s);
static int request_certificate(SSL *s);
-static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
- unsigned char *to,int padding);
+static int
+ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
+unsigned char *to, int padding);
#define BREAK break
-static const SSL_METHOD *ssl2_get_server_method(int ver)
- {
+static const SSL_METHOD
+*ssl2_get_server_method(int ver)
+{
if (ver == SSL2_VERSION)
- return(SSLv2_server_method());
+ return (SSLv2_server_method());
else
- return(NULL);
- }
+ return (NULL);
+}
IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
- ssl2_accept,
- ssl_undefined_function,
- ssl2_get_server_method)
-
-int ssl2_accept(SSL *s)
- {
- unsigned long l=(unsigned long)time(NULL);
- BUF_MEM *buf=NULL;
- int ret= -1;
+ ssl2_accept, ssl_undefined_function, ssl2_get_server_method)
+
+int
+ssl2_accept(SSL *s)
+{
+ unsigned long l = (unsigned long)time(NULL);
+ BUF_MEM *buf = NULL;
+ int ret = -1;
long num1;
- void (*cb)(const SSL *ssl,int type,int val)=NULL;
- int new_state,state;
+ void (*cb)(const SSL *ssl, int type, int val) = NULL;
+ int new_state, state;
- RAND_add(&l,sizeof(l),0);
+ RAND_add(&l, sizeof(l), 0);
ERR_clear_error();
errno = 0;
if (s->info_callback != NULL)
- cb=s->info_callback;
+ cb = s->info_callback;
else if (s->ctx->info_callback != NULL)
- cb=s->ctx->info_callback;
+ cb = s->ctx->info_callback;
/* init things to blank */
s->in_handshake++;
- if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
+ if (!SSL_in_init(s) || SSL_in_before(s))
+ SSL_clear(s);
- if (s->cert == NULL)
- {
- SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
- return(-1);
- }
+ if (s->cert == NULL) {
+ SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
+ return (-1);
+ }
errno = 0;
- for (;;)
- {
- state=s->state;
+ for (;;) {
+ state = s->state;
- switch (s->state)
- {
+ switch (s->state) {
case SSL_ST_BEFORE:
case SSL_ST_ACCEPT:
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
- s->server=1;
- if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
+ s->server = 1;
+ if (cb != NULL)
+ cb(s, SSL_CB_HANDSHAKE_START, 1);
- s->version=SSL2_VERSION;
- s->type=SSL_ST_ACCEPT;
+ s->version = SSL2_VERSION;
+ s->type = SSL_ST_ACCEPT;
- buf=s->init_buf;
- if ((buf == NULL) && ((buf=BUF_MEM_new()) == NULL))
- { ret= -1; goto end; }
- if (!BUF_MEM_grow(buf,(int)
- SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
- { ret= -1; goto end; }
- s->init_buf=buf;
- s->init_num=0;
+ buf = s->init_buf;
+ if ((buf == NULL) && ((buf = BUF_MEM_new()) == NULL)) {
+ ret = -1;
+ goto end;
+ }
+ if (!BUF_MEM_grow(buf,
+ (int)SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) {
+ ret = -1;
+ goto end;
+ }
+ s->init_buf = buf;
+ s->init_num = 0;
s->ctx->stats.sess_accept++;
- s->handshake_func=ssl2_accept;
- s->state=SSL2_ST_GET_CLIENT_HELLO_A;
+ s->handshake_func = ssl2_accept;
+ s->state = SSL2_ST_GET_CLIENT_HELLO_A;
BREAK;
case SSL2_ST_GET_CLIENT_HELLO_A:
case SSL2_ST_GET_CLIENT_HELLO_B:
case SSL2_ST_GET_CLIENT_HELLO_C:
- s->shutdown=0;
- ret=get_client_hello(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_SEND_SERVER_HELLO_A;
+ s->shutdown = 0;
+ ret = get_client_hello(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_SEND_SERVER_HELLO_A;
BREAK;
case SSL2_ST_SEND_SERVER_HELLO_A:
case SSL2_ST_SEND_SERVER_HELLO_B:
- ret=server_hello(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- if (!s->hit)
- {
- s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_A;
+ ret = server_hello(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ if (!s->hit) {
+ s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_A;
BREAK;
- }
- else
- {
- s->state=SSL2_ST_SERVER_START_ENCRYPTION;
+ } else {
+ s->state = SSL2_ST_SERVER_START_ENCRYPTION;
BREAK;
- }
+ }
case SSL2_ST_GET_CLIENT_MASTER_KEY_A:
case SSL2_ST_GET_CLIENT_MASTER_KEY_B:
- ret=get_client_master_key(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_SERVER_START_ENCRYPTION;
+ ret = get_client_master_key(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_SERVER_START_ENCRYPTION;
BREAK;
case SSL2_ST_SERVER_START_ENCRYPTION:
/* Ok we how have sent all the stuff needed to
* start encrypting, the next packet back will
* be encrypted. */
- if (!ssl2_enc_init(s,0))
- { ret= -1; goto end; }
- s->s2->clear_text=0;
- s->state=SSL2_ST_SEND_SERVER_VERIFY_A;
+ if (!ssl2_enc_init(s, 0)) {
+ ret = -1;
+ goto end;
+ }
+ s->s2->clear_text = 0;
+ s->state = SSL2_ST_SEND_SERVER_VERIFY_A;
BREAK;
case SSL2_ST_SEND_SERVER_VERIFY_A:
case SSL2_ST_SEND_SERVER_VERIFY_B:
- ret=server_verify(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- if (s->hit)
- {
+ ret = server_verify(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ if (s->hit) {
/* If we are in here, we have been
* buffering the output, so we need to
* flush it and remove buffering from
* future traffic */
- s->state=SSL2_ST_SEND_SERVER_VERIFY_C;
+ s->state = SSL2_ST_SEND_SERVER_VERIFY_C;
BREAK;
- }
- else
- {
- s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
+ } else {
+ s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
break;
- }
+ }
- case SSL2_ST_SEND_SERVER_VERIFY_C:
- /* get the number of bytes to write */
- num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
- if (num1 > 0)
- {
- s->rwstate=SSL_WRITING;
- num1=BIO_flush(s->wbio);
- if (num1 <= 0) { ret= -1; goto end; }
- s->rwstate=SSL_NOTHING;
+ case SSL2_ST_SEND_SERVER_VERIFY_C:
+ /* get the number of bytes to write */
+ num1 = BIO_ctrl(s->wbio, BIO_CTRL_INFO, 0, NULL);
+ if (num1 > 0) {
+ s->rwstate = SSL_WRITING;
+ num1 = BIO_flush(s->wbio);
+ if (num1 <= 0) {
+ ret = -1;
+ goto end;
}
+ s->rwstate = SSL_NOTHING;
+ }
- /* flushed and now remove buffering */
- s->wbio=BIO_pop(s->wbio);
+ /* flushed and now remove buffering */
+ s->wbio = BIO_pop(s->wbio);
- s->state=SSL2_ST_GET_CLIENT_FINISHED_A;
- BREAK;
+ s->state = SSL2_ST_GET_CLIENT_FINISHED_A;
+ BREAK;
case SSL2_ST_GET_CLIENT_FINISHED_A:
case SSL2_ST_GET_CLIENT_FINISHED_B:
- ret=get_client_finished(s);
+ ret = get_client_finished(s);
if (ret <= 0)
goto end;
- s->init_num=0;
- s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
+ s->init_num = 0;
+ s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_A;
BREAK;
case SSL2_ST_SEND_REQUEST_CERTIFICATE_A:
@@ -298,229 +305,216 @@ int ssl2_accept(SSL *s)
* don't want to, or we already have one, and
* we only want to do it once. */
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
- ((s->session->peer != NULL) &&
- (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
- {
- s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
+ ((s->session->peer != NULL) &&
+ (s->verify_mode & SSL_VERIFY_CLIENT_ONCE))) {
+ s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
break;
- }
- else
- {
- ret=request_certificate(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL2_ST_SEND_SERVER_FINISHED_A;
- }
+ } else {
+ ret = request_certificate(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL2_ST_SEND_SERVER_FINISHED_A;
+ }
BREAK;
case SSL2_ST_SEND_SERVER_FINISHED_A:
case SSL2_ST_SEND_SERVER_FINISHED_B:
- ret=server_finish(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL_ST_OK;
+ ret = server_finish(s);
+ if (ret <= 0)
+ goto end;
+ s->init_num = 0;
+ s->state = SSL_ST_OK;
break;
case SSL_ST_OK:
BUF_MEM_free(s->init_buf);
ssl_free_wbio_buffer(s);
- s->init_buf=NULL;
- s->init_num=0;
- /* ERR_clear_error();*/
+ s->init_buf = NULL;
+ s->init_num = 0;
+ /* ERR_clear_error();*/
- ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
+ ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
s->ctx->stats.sess_accept_good++;
/* s->server=1; */
- ret=1;
+ ret = 1;
- if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
+ if (cb != NULL)
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
goto end;
/* BREAK; */
default:
- SSLerr(SSL_F_SSL2_ACCEPT,SSL_R_UNKNOWN_STATE);
- ret= -1;
+ SSLerr(SSL_F_SSL2_ACCEPT, SSL_R_UNKNOWN_STATE);
+ ret = -1;
goto end;
/* BREAK; */
- }
-
- if ((cb != NULL) && (s->state != state))
- {
- new_state=s->state;
- s->state=state;
- cb(s,SSL_CB_ACCEPT_LOOP,1);
- s->state=new_state;
- }
}
+
+ if ((cb != NULL) && (s->state != state)) {
+ new_state = s->state;
+ s->state = state;
+ cb(s, SSL_CB_ACCEPT_LOOP, 1);
+ s->state = new_state;
+ }
+ }
end:
s->in_handshake--;
if (cb != NULL)
- cb(s,SSL_CB_ACCEPT_EXIT,ret);
- return(ret);
- }
-
-static int get_client_master_key(SSL *s)
- {
- int is_export,i,n,keya,ek;
+ cb(s, SSL_CB_ACCEPT_EXIT, ret);
+ return (ret);
+}
+
+static int
+get_client_master_key(SSL *s)
+{
+ int is_export, i, n, keya, ek;
unsigned long len;
unsigned char *p;
const SSL_CIPHER *cp;
const EVP_CIPHER *c;
const EVP_MD *md;
- p=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A)
- {
- i=ssl2_read(s,(char *)&(p[s->init_num]),10-s->init_num);
+ p = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) {
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 10 - s->init_num);
- if (i < (10-s->init_num))
- return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+ if (i < (10 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
s->init_num = 10;
- if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY)
- {
- if (p[-1] != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
+ if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) {
+ if (p[-1] != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_READ_WRONG_PACKET_TYPE);
+ } else
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PEER_ERROR);
- return(-1);
- }
+ return (-1);
+ }
- cp=ssl2_get_cipher_by_char(p);
- if (cp == NULL)
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
+ cp = ssl2_get_cipher_by_char(p);
+ if (cp == NULL) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
- return(-1);
- }
- s->session->cipher= cp;
-
- p+=3;
- n2s(p,i); s->s2->tmp.clear=i;
- n2s(p,i); s->s2->tmp.enc=i;
- n2s(p,i);
- if(i > SSL_MAX_KEY_ARG_LENGTH)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
+ }
+ s->session->cipher = cp;
+
+ p += 3;
+ n2s(p, i);
+ s->s2->tmp.clear = i;
+ n2s(p, i);
+ s->s2->tmp.enc = i;
+ n2s(p, i);
+ if (i > SSL_MAX_KEY_ARG_LENGTH) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
return -1;
- }
- s->session->key_arg_length=i;
- s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
}
+ s->session->key_arg_length = i;
+ s->state = SSL2_ST_GET_CLIENT_MASTER_KEY_B;
+ }
/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
- p=(unsigned char *)s->init_buf->data;
- if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ p = (unsigned char *)s->init_buf->data;
+ if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
- }
- keya=s->session->key_arg_length;
+ }
+ keya = s->session->key_arg_length;
len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
- if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
+ if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_MESSAGE_TOO_LONG);
return -1;
- }
+ }
n = (int)len - s->init_num;
- i = ssl2_read(s,(char *)&(p[s->init_num]),n);
- if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+ i = ssl2_read(s,(char *)&(p[s->init_num]), n);
+ if (i != n)
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_MASTER_KEY, i));
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
p += 10;
- memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
- (unsigned int)keya);
+ memcpy(s->session->key_arg, &(p[s->s2->tmp.clear + s->s2->tmp.enc]),
+ (unsigned int)keya);
- if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
- return(-1);
- }
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+ if (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
+ return (-1);
+ }
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+ &(p[s->s2->tmp.clear]), &(p[s->s2->tmp.clear]),
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING);
- is_export=SSL_C_IS_EXPORT(s->session->cipher);
-
- if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
- {
- ssl2_return_error(s,SSL2_PE_NO_CIPHER);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
- return(0);
- }
+ is_export = SSL_C_IS_EXPORT(s->session->cipher);
- if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
- {
- is_export=1;
- ek=8;
- }
- else
- ek=5;
+ if (!ssl_cipher_get_evp(s->session, &c, &md, NULL, NULL, NULL)) {
+ ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);
+ return (0);
+ }
+
+ if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) {
+ is_export = 1;
+ ek = 8;
+ } else
+ ek = 5;
/* bad decrypt */
#if 1
/* If a bad decrypt, continue with protocol but with a
* random master secret (Bleichenbacher attack) */
- if ((i < 0) ||
- ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
- (unsigned int)EVP_CIPHER_key_length(c))))))
- {
+ if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c))) ||
+ (is_export && ((i != ek) || (s->s2->tmp.clear + (unsigned int)i !=
+ (unsigned int)EVP_CIPHER_key_length(c)))))) {
ERR_clear_error();
if (is_export)
- i=ek;
+ i = ek;
else
- i=EVP_CIPHER_key_length(c);
- if (RAND_pseudo_bytes(p,i) <= 0)
+ i = EVP_CIPHER_key_length(c);
+ if (RAND_pseudo_bytes(p, i) <= 0)
return 0;
- }
+ }
#else
- if (i < 0)
- {
- error=1;
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_RSA_DECRYPT);
- }
+ if (i < 0) {
+ error = 1;
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_BAD_RSA_DECRYPT);
+ }
/* incorrect number of key bytes for non export cipher */
- else if ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
- EVP_CIPHER_key_length(c)))))
- {
- error=1;
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_WRONG_NUMBER_OF_KEY_BITS);
- }
- if (error)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
+ else if ((!is_export && (i != EVP_CIPHER_key_length(c))) ||
+ (is_export && ((i != ek) || (s->s2->tmp.clear + i !=
+ EVP_CIPHER_key_length(c))))) {
+ error = 1;
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_WRONG_NUMBER_OF_KEY_BITS);
+ }
+ if (error) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
+ }
#endif
- if (is_export) i+=s->s2->tmp.clear;
+ if (is_export)
+ i += s->s2->tmp.clear;
- if (i > SSL_MAX_MASTER_KEY_LENGTH)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ if (i > SSL_MAX_MASTER_KEY_LENGTH) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
- }
- s->session->master_key_length=i;
- memcpy(s->session->master_key,p,(unsigned int)i);
- return(1);
}
-
-static int get_client_hello(SSL *s)
- {
- int i,n;
+ s->session->master_key_length = i;
+ memcpy(s->session->master_key, p,(unsigned int)i);
+ return (1);
+}
+
+static int
+get_client_hello(SSL *s)
+{
+ int i, n;
unsigned long len;
unsigned char *p;
STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
@@ -530,58 +524,56 @@ static int get_client_hello(SSL *s)
/* This is a bit of a hack to check for the correct packet
* type the first time round. */
- if (s->state == SSL2_ST_GET_CLIENT_HELLO_A)
- {
- s->first_packet=1;
- s->state=SSL2_ST_GET_CLIENT_HELLO_B;
- }
+ if (s->state == SSL2_ST_GET_CLIENT_HELLO_A) {
+ s->first_packet = 1;
+ s->state = SSL2_ST_GET_CLIENT_HELLO_B;
+ }
- p=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_GET_CLIENT_HELLO_B)
- {
- i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num);
- if (i < (9-s->init_num))
- return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+ p = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_GET_CLIENT_HELLO_B) {
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 9 - s->init_num);
+ if (i < (9 - s->init_num))
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
s->init_num = 9;
-
- if (*(p++) != SSL2_MT_CLIENT_HELLO)
- {
- if (p[-1] != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
- return(-1);
- }
- n2s(p,i);
- if (i < s->version) s->version=i;
- n2s(p,i); s->s2->tmp.cipher_spec_length=i;
- n2s(p,i); s->s2->tmp.session_id_length=i;
- n2s(p,i); s->s2->challenge_length=i;
- if ( (i < SSL2_MIN_CHALLENGE_LENGTH) ||
- (i > SSL2_MAX_CHALLENGE_LENGTH))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_INVALID_CHALLENGE_LENGTH);
- return(-1);
- }
- s->state=SSL2_ST_GET_CLIENT_HELLO_C;
+
+ if (*(p++) != SSL2_MT_CLIENT_HELLO) {
+ if (p[-1] != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_READ_WRONG_PACKET_TYPE);
+ } else
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_PEER_ERROR);
+ return (-1);
+ }
+ n2s(p, i);
+ if (i < s->version)
+ s->version = i;
+ n2s(p, i);
+ s->s2->tmp.cipher_spec_length = i;
+ n2s(p, i);
+ s->s2->tmp.session_id_length = i;
+ n2s(p, i);
+ s->s2->challenge_length = i;
+ if ((i < SSL2_MIN_CHALLENGE_LENGTH) ||
+ (i > SSL2_MAX_CHALLENGE_LENGTH)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INVALID_CHALLENGE_LENGTH);
+ return (-1);
}
+ s->state = SSL2_ST_GET_CLIENT_HELLO_C;
+ }
/* SSL2_ST_GET_CLIENT_HELLO_C */
- p=(unsigned char *)s->init_buf->data;
+ p = (unsigned char *)s->init_buf->data;
len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length;
- if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG);
+ if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_MESSAGE_TOO_LONG);
return -1;
- }
+ }
n = (int)len - s->init_num;
- i = ssl2_read(s,(char *)&(p[s->init_num]),n);
- if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+ i = ssl2_read(s,(char *)&(p[s->init_num]), n);
+ if (i != n)
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_HELLO, i));
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
p += 9;
@@ -589,138 +581,120 @@ static int get_client_hello(SSL *s)
/* get session-id before cipher stuff so we can get out session
* structure if it is cached */
/* session-id */
- if ((s->s2->tmp.session_id_length != 0) &&
- (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_BAD_SSL_SESSION_ID_LENGTH);
- return(-1);
- }
+ if ((s->s2->tmp.session_id_length != 0) &&
+ (s->s2->tmp.session_id_length != SSL2_SSL_SESSION_ID_LENGTH)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_BAD_SSL_SESSION_ID_LENGTH);
+ return (-1);
+ }
- if (s->s2->tmp.session_id_length == 0)
- {
- if (!ssl_get_new_session(s,1))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
+ if (s->s2->tmp.session_id_length == 0) {
+ if (!ssl_get_new_session(s, 1)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
}
- else
- {
- i=ssl_get_prev_session(s,&(p[s->s2->tmp.cipher_spec_length]),
- s->s2->tmp.session_id_length, NULL);
+ } else {
+ i = ssl_get_prev_session(s, &(p[s->s2->tmp.cipher_spec_length]),
+ s->s2->tmp.session_id_length, NULL);
if (i == 1)
- { /* previous session */
- s->hit=1;
+ { /* previous session */
+ s->hit = 1;
+ } else if (i == -1) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
+ } else {
+ if (s->cert == NULL) {
+ ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CERTIFICATE_SET);
+ return (-1);
}
- else if (i == -1)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
- else
- {
- if (s->cert == NULL)
- {
- ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
- SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_NO_CERTIFICATE_SET);
- return(-1);
- }
- if (!ssl_get_new_session(s,1))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- return(-1);
- }
+ if (!ssl_get_new_session(s, 1)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ return (-1);
}
}
+ }
- if (!s->hit)
- {
- cs=ssl_bytes_to_cipher_list(s,p,s->s2->tmp.cipher_spec_length,
- &s->session->ciphers);
- if (cs == NULL) goto mem_err;
-
- cl=SSL_get_ciphers(s);
-
- if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
- {
- prio=sk_SSL_CIPHER_dup(cl);
- if (prio == NULL) goto mem_err;
- allow = cs;
- }
- else
- {
- prio = cs;
- allow = cl;
- }
- for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
- {
- if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
- {
- (void)sk_SSL_CIPHER_delete(prio,z);
+ if (!s->hit) {
+ cs = ssl_bytes_to_cipher_list(s, p,
+ s->s2->tmp.cipher_spec_length, &s->session->ciphers);
+ if (cs == NULL)
+ goto mem_err;
+
+ cl = SSL_get_ciphers(s);
+
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+ prio = sk_SSL_CIPHER_dup(cl);
+ if (prio == NULL)
+ goto mem_err;
+ allow = cs;
+ } else {
+ prio = cs;
+ allow = cl;
+ }
+ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+ if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
+ (void)sk_SSL_CIPHER_delete(prio, z);
z--;
- }
}
- if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
- {
- sk_SSL_CIPHER_free(s->session->ciphers);
- s->session->ciphers = prio;
- }
+ }
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
/* s->session->ciphers should now have a list of
* ciphers that are on both the client and server.
* This list is ordered by the order the client sent
* the ciphers or in the order of the server's preference
* if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
*/
- }
- p+=s->s2->tmp.cipher_spec_length;
+ }
+ p += s->s2->tmp.cipher_spec_length;
/* done cipher selection */
/* session id extracted already */
- p+=s->s2->tmp.session_id_length;
+ p += s->s2->tmp.session_id_length;
/* challenge */
- if (s->s2->challenge_length > sizeof s->s2->challenge)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ if (s->s2->challenge_length > sizeof s->s2->challenge) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
- }
- memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
- return(1);
-mem_err:
- SSLerr(SSL_F_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
- return(0);
}
-
-static int server_hello(SSL *s)
- {
- unsigned char *p,*d;
- int n,hit;
-
- p=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
- {
- d=p+11;
- *(p++)=SSL2_MT_SERVER_HELLO; /* type */
- hit=s->hit;
- *(p++)=(unsigned char)hit;
+ memcpy(s->s2->challenge, p, (unsigned int)s->s2->challenge_length);
+ return (1);
+mem_err:
+ SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_MALLOC_FAILURE);
+ return (0);
+}
+
+static int
+server_hello(SSL *s)
+{
+ unsigned char *p, *d;
+ int n, hit;
+
+ p = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) {
+ d = p + 11;
+ *(p++) = SSL2_MT_SERVER_HELLO;
+ /* type */
+ hit = s->hit;
+ *(p++) = (unsigned char)hit;
#if 1
- if (!hit)
- {
+ if (!hit) {
if (s->session->sess_cert != NULL)
/* This can't really happen because get_client_hello
* has called ssl_get_new_session, which does not set
* sess_cert. */
- ssl_sess_cert_free(s->session->sess_cert);
+ ssl_sess_cert_free(s->session->sess_cert);
s->session->sess_cert = ssl_sess_cert_new();
- if (s->session->sess_cert == NULL)
- {
+ if (s->session->sess_cert == NULL) {
SSLerr(SSL_F_SERVER_HELLO, ERR_R_MALLOC_FAILURE);
- return(-1);
- }
+ return (-1);
}
+ }
/* If 'hit' is set, then s->sess_cert may be non-NULL or NULL,
* depending on whether it survived in the internal cache
* or was retrieved from an external cache.
@@ -730,419 +704,391 @@ static int server_hello(SSL *s)
#else /* That's what used to be done when cert_st and sess_cert_st were
* the same. */
- if (!hit)
- { /* else add cert to session */
- CRYPTO_add(&s->cert->references,1,CRYPTO_LOCK_SSL_CERT);
+ if (!hit) { /* else add cert to session */
+ CRYPTO_add(&s->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
if (s->session->sess_cert != NULL)
ssl_cert_free(s->session->sess_cert);
- s->session->sess_cert=s->cert;
- }
- else /* We have a session id-cache hit, if the
- * session-id has no certificate listed against
- * the 'cert' structure, grab the 'old' one
+ s->session->sess_cert = s->cert;
+
+ } else /* We have a session id - cache hit, if the
+ * session - id has no certificate listed against
+ * the 'cert' structure, grab the 'old' one
* listed against the SSL connection */
- {
- if (s->session->sess_cert == NULL)
- {
- CRYPTO_add(&s->cert->references,1,
- CRYPTO_LOCK_SSL_CERT);
- s->session->sess_cert=s->cert;
- }
+ {
+ if (s->session->sess_cert == NULL) {
+ CRYPTO_add(&s->cert->references, 1,
+ CRYPTO_LOCK_SSL_CERT);
+ s->session->sess_cert = s->cert;
}
+ }
#endif
- if (s->cert == NULL)
- {
- ssl2_return_error(s,SSL2_PE_NO_CERTIFICATE);
- SSLerr(SSL_F_SERVER_HELLO,SSL_R_NO_CERTIFICATE_SPECIFIED);
- return(-1);
- }
+ if (s->cert == NULL) {
+ ssl2_return_error(s, SSL2_PE_NO_CERTIFICATE);
+ SSLerr(SSL_F_SERVER_HELLO, SSL_R_NO_CERTIFICATE_SPECIFIED);
+ return (-1);
+ }
- if (hit)
- {
- *(p++)=0; /* no certificate type */
+ if (hit) {
+ *(p++) = 0;
+ /* no certificate type */
s2n(s->version,p); /* version */
- s2n(0,p); /* cert len */
- s2n(0,p); /* ciphers len */
- }
- else
- {
+ s2n(0, p);
+ /* cert len */
+ s2n(0, p);
+ /* ciphers len */
+ } else {
/* EAY EAY */
/* put certificate type */
- *(p++)=SSL2_CT_X509_CERTIFICATE;
+ *(p++) = SSL2_CT_X509_CERTIFICATE;
s2n(s->version,p); /* version */
- n=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
- s2n(n,p); /* certificate length */
- i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&d);
- n=0;
-
+ n = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
+ s2n(n, p);
+ /* certificate length */
+ i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &d);
+ n = 0;
+
/* lets send out the ciphers we like in the
* prefered order */
- n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
- d+=n;
- s2n(n,p); /* add cipher length */
- }
+ n = ssl_cipher_list_to_bytes(s, s->session->ciphers, d, 0);
+ d += n;
+ s2n(n, p);
+ /* add cipher length */
+ }
/* make and send conn_id */
s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */
- s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
+ s->s2->conn_id_length = SSL2_CONNECTION_ID_LENGTH;
if (RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length) <= 0)
return -1;
- memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
- d+=SSL2_CONNECTION_ID_LENGTH;
+ memcpy(d, s->s2->conn_id, SSL2_CONNECTION_ID_LENGTH);
+ d += SSL2_CONNECTION_ID_LENGTH;
- s->state=SSL2_ST_SEND_SERVER_HELLO_B;
- s->init_num=d-(unsigned char *)s->init_buf->data;
- s->init_off=0;
- }
+ s->state = SSL2_ST_SEND_SERVER_HELLO_B;
+ s->init_num = d - (unsigned char *)s->init_buf->data;
+ s->init_off = 0;
+ }
/* SSL2_ST_SEND_SERVER_HELLO_B */
/* If we are using TCP/IP, the performance is bad if we do 2
* writes without a read between them. This occurs when
* Session-id reuse is used, so I will put in a buffering module
*/
- if (s->hit)
- {
- if (!ssl_init_wbio_buffer(s,1)) return(-1);
- }
-
- return(ssl2_do_write(s));
+ if (s->hit) {
+ if (!ssl_init_wbio_buffer(s, 1))
+ return (-1);
}
-static int get_client_finished(SSL *s)
- {
+ return (ssl2_do_write(s));
+}
+
+static int
+get_client_finished(SSL *s)
+{
unsigned char *p;
int i, n;
unsigned long len;
- p=(unsigned char *)s->init_buf->data;
- if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A)
- {
- i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
- if (i < 1-s->init_num)
- return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
+ p = (unsigned char *)s->init_buf->data;
+ if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) {
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 1 - s->init_num);
+ if (i < 1 - s->init_num)
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
s->init_num += i;
- if (*p != SSL2_MT_CLIENT_FINISHED)
- {
- if (*p != SSL2_MT_ERROR)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
- }
- else
- {
- SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
+ if (*p != SSL2_MT_CLIENT_FINISHED) {
+ if (*p != SSL2_MT_ERROR) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_READ_WRONG_PACKET_TYPE);
+ } else {
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_PEER_ERROR);
/* try to read the error message */
- i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
- return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
- }
- return(-1);
+ i = ssl2_read(s,(char *)&(p[s->init_num]), 3 - s->init_num);
+ return ssl2_part_read(s, SSL_F_GET_SERVER_VERIFY, i);
}
- s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
+ return (-1);
}
+ s->state = SSL2_ST_GET_CLIENT_FINISHED_B;
+ }
/* SSL2_ST_GET_CLIENT_FINISHED_B */
- if (s->s2->conn_id_length > sizeof s->s2->conn_id)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ if (s->s2->conn_id_length > sizeof s->s2->conn_id) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
- }
+ }
len = 1 + (unsigned long)s->s2->conn_id_length;
n = (int)len - s->init_num;
- i = ssl2_read(s,(char *)&(p[s->init_num]),n);
- if (i < n)
- {
- return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
- }
+ i = ssl2_read(s,(char *)&(p[s->init_num]), n);
+ if (i < n) {
+ return (ssl2_part_read(s, SSL_F_GET_CLIENT_FINISHED, i));
+ }
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
p += 1;
- if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
- return(-1);
- }
- return(1);
+ if (memcmp(p, s->s2->conn_id, s->s2->conn_id_length) != 0) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_CONNECTION_ID_IS_DIFFERENT);
+ return (-1);
}
+ return (1);
+}
-static int server_verify(SSL *s)
- {
+static int
+server_verify(SSL *s)
+{
unsigned char *p;
- if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A)
- {
- p=(unsigned char *)s->init_buf->data;
- *(p++)=SSL2_MT_SERVER_VERIFY;
- if (s->s2->challenge_length > sizeof s->s2->challenge)
- {
+ if (s->state == SSL2_ST_SEND_SERVER_VERIFY_A) {
+ p = (unsigned char *)s->init_buf->data;
+ *(p++) = SSL2_MT_SERVER_VERIFY;
+ if (s->s2->challenge_length > sizeof s->s2->challenge) {
SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
return -1;
- }
- memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
+ }
+ memcpy(p, s->s2->challenge,(unsigned int)s->s2->challenge_length);
/* p+=s->s2->challenge_length; */
- s->state=SSL2_ST_SEND_SERVER_VERIFY_B;
- s->init_num=s->s2->challenge_length+1;
- s->init_off=0;
- }
- return(ssl2_do_write(s));
+ s->state = SSL2_ST_SEND_SERVER_VERIFY_B;
+ s->init_num = s->s2->challenge_length + 1;
+ s->init_off = 0;
}
+ return (ssl2_do_write(s));
+}
-static int server_finish(SSL *s)
- {
+static int
+server_finish(SSL *s)
+{
unsigned char *p;
- if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A)
- {
- p=(unsigned char *)s->init_buf->data;
- *(p++)=SSL2_MT_SERVER_FINISHED;
+ if (s->state == SSL2_ST_SEND_SERVER_FINISHED_A) {
+ p = (unsigned char *)s->init_buf->data;
+ *(p++) = SSL2_MT_SERVER_FINISHED;
- if (s->session->session_id_length > sizeof s->session->session_id)
- {
+ if (s->session->session_id_length > sizeof s->session->session_id) {
SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
return -1;
- }
- memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
+ }
+ memcpy(p, s->session->session_id, (unsigned int)s->session->session_id_length);
/* p+=s->session->session_id_length; */
- s->state=SSL2_ST_SEND_SERVER_FINISHED_B;
- s->init_num=s->session->session_id_length+1;
- s->init_off=0;
- }
+ s->state = SSL2_ST_SEND_SERVER_FINISHED_B;
+ s->init_num = s->session->session_id_length + 1;
+ s->init_off = 0;
+ }
/* SSL2_ST_SEND_SERVER_FINISHED_B */
- return(ssl2_do_write(s));
- }
+ return (ssl2_do_write(s));
+}
/* send the request and check the response */
-static int request_certificate(SSL *s)
- {
+static int
+request_certificate(SSL *s)
+{
const unsigned char *cp;
- unsigned char *p,*p2,*buf2;
+ unsigned char *p, *p2, *buf2;
unsigned char *ccd;
- int i,j,ctype,ret= -1;
+ int i, j, ctype, ret = -1;
unsigned long len;
- X509 *x509=NULL;
- STACK_OF(X509) *sk=NULL;
-
- ccd=s->s2->tmp.ccl;
- if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A)
- {
- p=(unsigned char *)s->init_buf->data;
- *(p++)=SSL2_MT_REQUEST_CERTIFICATE;
- *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
- if (RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
+ X509 *x509 = NULL;
+ STACK_OF(X509) *sk = NULL;
+
+ ccd = s->s2->tmp.ccl;
+ if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_A) {
+ p = (unsigned char *)s->init_buf->data;
+ *(p++) = SSL2_MT_REQUEST_CERTIFICATE;
+ *(p++) = SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
+ if (RAND_pseudo_bytes(ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH) <= 0)
return -1;
- memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+ memcpy(p, ccd, SSL2_MIN_CERT_CHALLENGE_LENGTH);
- s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
- s->init_num=SSL2_MIN_CERT_CHALLENGE_LENGTH+2;
- s->init_off=0;
- }
+ s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
+ s->init_num = SSL2_MIN_CERT_CHALLENGE_LENGTH + 2;
+ s->init_off = 0;
+ }
- if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B)
- {
- i=ssl2_do_write(s);
- if (i <= 0)
- {
- ret=i;
+ if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_B) {
+ i = ssl2_do_write(s);
+ if (i <= 0) {
+ ret = i;
goto end;
- }
-
- s->init_num=0;
- s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
}
- if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C)
- {
- p=(unsigned char *)s->init_buf->data;
- i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */
- if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
+ s->init_num = 0;
+ s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_C;
+ }
+
+ if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) {
+ p = (unsigned char *)s->init_buf->data;
+ i = ssl2_read(s, (char *)&(p[s->init_num]), 6 - s->init_num); /* try to read 6 octets ... */
+ if (i < 3 - s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3
* (probably NO-CERTIFICATE-ERROR) */
- {
- ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
+ {
+ ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
goto end;
- }
+ }
s->init_num += i;
- if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
- {
- n2s(p,i);
- if (i != SSL2_PE_NO_CERTIFICATE)
- {
+ if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) {
+ n2s(p, i);
+ if (i != SSL2_PE_NO_CERTIFICATE) {
/* not the error message we expected -- let ssl2_part_read handle it */
s->init_num -= 3;
- ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3);
+ ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, 3);
goto end;
- }
+ }
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
/* this is the one place where we can recover from an SSL 2.0 error */
- if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- {
- ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
- SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+ if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
+ ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
goto end;
- }
- ret=1;
- goto end;
}
- if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6))
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ);
+ ret = 1;
goto end;
- }
- if (s->init_num != 6)
- {
+ }
+ if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_SHORT_READ);
+ goto end;
+ }
+ if (s->init_num != 6) {
SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
goto end;
- }
-
+ }
+
/* ok we have a response */
/* certificate type, there is only one right now. */
ctype= *(p++);
- if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION)
- {
- ssl2_return_error(s,SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
- SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_RESPONSE_ARGUMENT);
+ if (ctype != SSL2_AT_MD5_WITH_RSA_ENCRYPTION) {
+ ssl2_return_error(s, SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_RESPONSE_ARGUMENT);
goto end;
- }
- n2s(p,i); s->s2->tmp.clen=i;
- n2s(p,i); s->s2->tmp.rlen=i;
- s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
}
+ n2s(p, i);
+ s->s2->tmp.clen = i;
+ n2s(p, i);
+ s->s2->tmp.rlen = i;
+ s->state = SSL2_ST_SEND_REQUEST_CERTIFICATE_D;
+ }
/* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */
- p=(unsigned char *)s->init_buf->data;
+ p = (unsigned char *)s->init_buf->data;
len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
- if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
- {
- SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
+ if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) {
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_MESSAGE_TOO_LONG);
goto end;
- }
+ }
j = (int)len - s->init_num;
- i = ssl2_read(s,(char *)&(p[s->init_num]),j);
- if (i < j)
- {
- ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
+ i = ssl2_read(s,(char *)&(p[s->init_num]), j);
+ if (i < j) {
+ ret = ssl2_part_read(s, SSL_F_REQUEST_CERTIFICATE, i);
goto end;
- }
+ }
if (s->msg_callback)
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
p += 6;
cp = p;
- x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen);
- if (x509 == NULL)
- {
- SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB);
+ x509 = (X509 *)d2i_X509(NULL, &cp,(long)s->s2->tmp.clen);
+ if (x509 == NULL) {
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_X509_LIB);
goto msg_end;
- }
+ }
- if (((sk=sk_X509_new_null()) == NULL) || (!sk_X509_push(sk,x509)))
- {
- SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+ if (((sk = sk_X509_new_null()) == NULL) || (!sk_X509_push(sk, x509))) {
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto msg_end;
- }
+ }
- i=ssl_verify_cert_chain(s,sk);
+ i = ssl_verify_cert_chain(s, sk);
if (i > 0) /* we like the packet, now check the chksum */
- {
+ {
EVP_MD_CTX ctx;
- EVP_PKEY *pkey=NULL;
+ EVP_PKEY *pkey = NULL;
EVP_MD_CTX_init(&ctx);
- if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL)
- || !EVP_VerifyUpdate(&ctx,s->s2->key_material,
- s->s2->key_material_length)
- || !EVP_VerifyUpdate(&ctx,ccd,
- SSL2_MIN_CERT_CHALLENGE_LENGTH))
+ if (!EVP_VerifyInit_ex(&ctx, s->ctx->rsa_md5, NULL) ||
+ !EVP_VerifyUpdate(&ctx, s->s2->key_material,
+ s->s2->key_material_length) ||
+ !EVP_VerifyUpdate(&ctx, ccd,
+ SSL2_MIN_CERT_CHALLENGE_LENGTH))
goto msg_end;
- i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
- buf2=OPENSSL_malloc((unsigned int)i);
- if (buf2 == NULL)
- {
- SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
+ i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, NULL);
+ buf2 = OPENSSL_malloc((unsigned int)i);
+ if (buf2 == NULL) {
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_MALLOC_FAILURE);
goto msg_end;
- }
- p2=buf2;
- i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
- if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i))
- {
+ }
+ p2 = buf2;
+ i = i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509, &p2);
+ if (!EVP_VerifyUpdate(&ctx, buf2,(unsigned int)i)) {
OPENSSL_free(buf2);
goto msg_end;
- }
+ }
OPENSSL_free(buf2);
- pkey=X509_get_pubkey(x509);
- if (pkey == NULL) goto end;
- i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey);
+ pkey = X509_get_pubkey(x509);
+ if (pkey == NULL)
+ goto end;
+ i = EVP_VerifyFinal(&ctx, cp, s->s2->tmp.rlen, pkey);
EVP_PKEY_free(pkey);
EVP_MD_CTX_cleanup(&ctx);
- if (i > 0)
- {
+ if (i > 0) {
if (s->session->peer != NULL)
X509_free(s->session->peer);
- s->session->peer=x509;
- CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+ s->session->peer = x509;
+ CRYPTO_add(&x509->references, 1, CRYPTO_LOCK_X509);
s->session->verify_result = s->verify_result;
- ret=1;
+ ret = 1;
goto end;
- }
- else
- {
- SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_BAD_CHECKSUM);
+ } else {
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_BAD_CHECKSUM);
goto msg_end;
- }
}
- else
- {
+ } else {
msg_end:
- ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE);
- }
+ ssl2_return_error(s, SSL2_PE_BAD_CERTIFICATE);
+ }
end:
sk_X509_free(sk);
X509_free(x509);
- return(ret);
- }
+ return (ret);
+}
-static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
- unsigned char *to, int padding)
- {
+static int
+ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
+ unsigned char *to, int padding)
+{
RSA *rsa;
int i;
- if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL))
- {
- SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_NO_PRIVATEKEY);
- return(-1);
- }
- if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA)
- {
- SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,SSL_R_PUBLIC_KEY_IS_NOT_RSA);
- return(-1);
- }
- rsa=c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
+ if ((c == NULL) || (c->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)) {
+ SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_NO_PRIVATEKEY);
+ return (-1);
+ }
+ if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey->type != EVP_PKEY_RSA) {
+ SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, SSL_R_PUBLIC_KEY_IS_NOT_RSA);
+ return (-1);
+ }
+ rsa = c->pkeys[SSL_PKEY_RSA_ENC].privatekey->pkey.rsa;
/* we have the public key */
- i=RSA_private_decrypt(len,from,to,rsa,padding);
+ i = RSA_private_decrypt(len, from, to, rsa, padding);
if (i < 0)
- SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
- return(i);
- }
+ SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT, ERR_R_RSA_LIB);
+ return (i);
+}
#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
-static void *dummy=&dummy;
+static void *dummy = &dummy;
# endif
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-14 02:43:58 +0000