diff options
| author | Ben Laurie <ben@openssl.org> | 1999-02-21 21:58:59 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 1999-02-21 21:58:59 +0000 |
| commit | 60e31c3a4bbdbdb4259eaa3c48639f3e3915f380 (patch) | |
| tree | 1cd83e30167ca83bdca1282101d9119af64cc01d /ssl | |
| parent | a040ea8251cbbda301b140693e14c5d82ca83880 (diff) | |
More stuff for new TLS ciphersuites.
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s3_lib.c | 9 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 6 | ||||
| -rw-r--r-- | ssl/ssl.h | 11 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 49 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | ssl/ssltest.c | 9 |
6 files changed, 49 insertions, 41 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4d79895e99..b6f5d82f21 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -752,15 +752,16 @@ STACK *have,*pref; else cert=s->ctx->default_cert; - ssl_set_cert_masks(cert); - mask=cert->mask; - emask=cert->export_mask; - sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); for (i=0; i<sk_num(have); i++) { c=(SSL_CIPHER *)sk_value(have,i); + + ssl_set_cert_masks(cert,c); + mask=cert->mask; + emask=cert->export_mask; + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (SSL_IS_EXPORT(alg)) { diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 233de6ca90..6fe489eb18 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -945,7 +945,8 @@ SSL *s; if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) { rsa=s->ctx->default_cert->rsa_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; } @@ -967,7 +968,8 @@ SSL *s; dhp=cert->dh_tmp; if ((dhp == NULL) && (cert->dh_tmp_cb != NULL)) dhp=cert->dh_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; @@ -1022,13 +1022,12 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_set_read_ahead(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) -/* For the next 2, the callbacks are - * RSA *tmp_rsa_cb(SSL *ssl,int export) - * DH *tmp_dh_cb(SSL *ssl,int export) - */ + /* NB: the keylength is only applicable when export is true */ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, - RSA *(*cb)(SSL *ssl,int export)); -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)); + RSA *(*cb)(SSL *ssl,int export, + int keylength)); +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh)(SSL *ssl,int export,int keylength)); #ifdef HEADER_COMP_H int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 862a555efa..c4be734af4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1131,46 +1131,49 @@ int (*cb)(); X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } -void ssl_set_cert_masks(c) +void ssl_set_cert_masks(c,cipher) CERT *c; +SSL_CIPHER *cipher; { CERT_PKEY *cpk; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; int rsa_enc_export,dh_rsa_export,dh_dsa_export; - int rsa_tmp_export,dh_tmp_export; + int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask,emask; if ((c == NULL) || (c->valid)) return; + kl=SSL_C_EXPORT_PKEYLENGTH(cipher); + #ifndef NO_RSA - rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0; - rsa_tmp_export=((c->rsa_tmp_cb != NULL) || - (rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0; + rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); + rsa_tmp_export=(c->rsa_tmp_cb != NULL || + (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif #ifndef NO_DH - dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0; - dh_tmp_export=((c->dh_tmp_cb != NULL) || - (dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0; + dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); + dh_tmp_export=(c->dh_tmp_cb != NULL || + (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; + rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; + dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); - dh_rsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ - dh_dsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); mask=0; emask=0; @@ -1236,13 +1239,13 @@ SSL *s; { unsigned long alg,mask,kalg; CERT *c; - int i,_export; + int i,export; c=s->cert; - ssl_set_cert_masks(c); + ssl_set_cert_masks(c,s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; - _export=SSL_IS_EXPORT(alg); - mask=_export?c->export_mask:c->mask; + export=SSL_IS_EXPORT(alg); + mask=export?c->export_mask:c->mask; kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (kalg & SSL_kDHr) @@ -1888,10 +1891,12 @@ SSL *s; return(s->rwstate); } -void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export)) +void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export, + int keylength)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); } -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export, + int keylength)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); } #if defined(_WINDLL) && defined(WIN16) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 0cb5288c32..e4d783aa13 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -275,8 +275,8 @@ typedef struct cert_st RSA *rsa_tmp; DH *dh_tmp; - RSA *(*rsa_tmp_cb)(); - DH *(*dh_tmp_cb)(); + RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize); + DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize); CERT_PKEY pkeys[SSL_PKEY_NUM]; STACK *cert_chain; @@ -366,7 +366,7 @@ int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); -void ssl_set_cert_masks(CERT *c); +void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher); STACK *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 4662770e38..720abfa01e 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -75,7 +75,7 @@ #ifndef NOPROTO int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); -static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export); +static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export,int keylength); #ifndef NO_DSA static DH *get_dh512(void); #endif @@ -730,18 +730,19 @@ static DH *get_dh512() } #endif -static RSA MS_CALLBACK *tmp_rsa_cb(s,export) +static RSA MS_CALLBACK *tmp_rsa_cb(s,export,keylength) SSL *s; int export; +int keylength; { static RSA *rsa_tmp=NULL; if (rsa_tmp == NULL) { - BIO_printf(bio_err,"Generating temp (512 bit) RSA key..."); + BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); BIO_flush(bio_err); #ifndef NO_RSA - rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL); + rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); #endif BIO_printf(bio_err,"\n"); BIO_flush(bio_err); |