summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2014-05-25 13:27:39 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2014-05-25 13:27:39 +0000
commit9e70a5d378268a0c65eca71172a6ae90e8dae48b (patch)
tree6fe8605af8341933252c68c179a6f6e5c53238a5 /lib
parente664b47ce4501f9ee04bb1f5f1e1c7522e8aa360 (diff)
The ssl_ciper_get_evp() function is currently overloaded to also return the
compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function. Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller. ok miod@
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/ssl.h1
-rw-r--r--lib/libssl/ssl_ciph.c54
-rw-r--r--lib/libssl/ssl_err.c1
-rw-r--r--lib/libssl/ssl_locl.h4
-rw-r--r--lib/libssl/ssl_txt.c4
-rw-r--r--lib/libssl/t1_enc.c13
6 files changed, 49 insertions, 28 deletions
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h
index 9744d9783cd..6765e3560ae 100644
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_CERT_LENGTH_MISMATCH 135
#define SSL_R_CHALLENGE_IS_DIFFERENT 136
#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
+#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371
#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
#define SSL_R_CLIENTHELLO_TLSEXT 226
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c
index 4ae3312a1a0..bd939b7563c 100644
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -481,33 +481,45 @@ load_builtin_compressions(void)
}
#endif
+/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
+ * session and returns 1. On error it returns 0. */
int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
- const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp)
+ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
{
+ SSL_COMP ctmp;
int i;
- const SSL_CIPHER *c;
- c = s->cipher;
- if (c == NULL)
- return (0);
- if (comp != NULL) {
- SSL_COMP ctmp;
#ifndef OPENSSL_NO_COMP
- load_builtin_compressions();
+ load_builtin_compressions();
#endif
- *comp = NULL;
- ctmp.id = s->compress_meth;
- if (ssl_comp_methods != NULL) {
- i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
- if (i >= 0)
- *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
- else
- *comp = NULL;
- }
+ *comp = NULL;
+ if (s->compress_meth == 0)
+ return 1;
+ if (ssl_comp_methods == NULL)
+ return 0;
+
+ ctmp.id = s->compress_meth;
+ i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
+ if (i >= 0) {
+ *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
+ return 1;
}
+ return 0;
+}
+
+int
+ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
+{
+ const SSL_CIPHER *c;
+ int i;
+
+ c = s->cipher;
+ if (c == NULL)
+ return (0);
+
if ((enc == NULL) || (md == NULL))
return (0);
@@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
*enc |= SSL_eNULL;
#endif
-
-
*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
*enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
@@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
SSL_COMP *ctmp;
int i, nn;
- if ((n == 0)
- || (sk == NULL)) return (NULL);
+ if ((n == 0) || (sk == NULL))
+ return (NULL);
nn = sk_SSL_COMP_num(sk);
for (i = 0; i < nn; i++) {
ctmp = sk_SSL_COMP_value(sk, i);
diff --git a/lib/libssl/ssl_err.c b/lib/libssl/ssl_err.c
index 67ba3c76991..7bea7fafa1f 100644
--- a/lib/libssl/ssl_err.c
+++ b/lib/libssl/ssl_err.c
@@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},
{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
+ {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index 3a4656ef622..06f37b69e65 100644
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted,
const char *rule_str);
void ssl_update_cache(SSL *s, int mode);
+int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp);
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
- const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,
- SSL_COMP **comp);
+ const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md);
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c
index 01dd846596f..734e0c0755d 100644
--- a/lib/libssl/ssl_txt.c
+++ b/lib/libssl/ssl_txt.c
@@ -190,7 +190,9 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
if (x->compress_meth != 0) {
SSL_COMP *comp = NULL;
- ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp);
+ if (!ssl_cipher_get_comp(x, &comp))
+ goto err;
+
if (comp == NULL) {
if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0)
goto err;
diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c
index 25991220789..5f17a4a94a2 100644
--- a/lib/libssl/t1_enc.c
+++ b/lib/libssl/t1_enc.c
@@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s)
int mac_type = NID_undef, mac_secret_size = 0;
int ret = 0;
-
if (s->s3->tmp.key_block_length != 0)
return (1);
- if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {
- SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+ if (!ssl_cipher_get_comp(s->session, &comp)) {
+ SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+ SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
+ return (0);
+ }
+
+ if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type,
+ &mac_secret_size)) {
+ SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+ SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return (0);
}