[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Mon Jun 29 11:08:30 UTC 2015
The branch master has been updated
via b34f691ddbf618978ed9e97a0b9209937c1da26e (commit)
via 57b272b01a9843c7e034feba7bfde5eaecc8bdb0 (commit)
from 7f098cb4360a2677aab741ffc661964c501dd51e (commit)
- Log -----------------------------------------------------------------
commit b34f691ddbf618978ed9e97a0b9209937c1da26e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Thu Jun 25 15:06:14 2015 +0100
make update
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 57b272b01a9843c7e034feba7bfde5eaecc8bdb0
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Jun 17 04:10:04 2015 +0100
Use single master secret generation function.
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 2 --
ssl/s3_clnt.c | 16 +++------------
ssl/s3_lib.c | 15 ++++++++++++++
ssl/s3_srvr.c | 56 ++++++++++-----------------------------------------
ssl/ssl_locl.h | 4 ++++
ssl/tls_srp.c | 13 ++++--------
util/ssleay.num | 8 ++++----
7 files changed, 41 insertions(+), 73 deletions(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index cd932e5..3027617 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -636,9 +636,7 @@ __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
int SSL_SRP_CTX_free(SSL *ctx);
int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
__owur int SSL_srp_server_param_with_username(SSL *s, int *ad);
-__owur int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
__owur int SRP_Calc_A_param(SSL *s);
-__owur int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
# endif
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f912f2c..1a925a7 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2891,13 +2891,10 @@ int ssl3_send_client_key_exchange(SSL *s)
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
/*
* If everything written generate master key: no need to save PMS as
- * SRP_generate_client_master_secret generates it internally.
+ * srp_generate_client_master_secret generates it internally.
*/
if (n > 0) {
- if ((s->session->master_key_length =
- SRP_generate_client_master_secret(s,
- s->session->master_key)) <
- 0) {
+ if (!srp_generate_client_master_secret(s)) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto err;
@@ -2920,14 +2917,7 @@ int ssl3_send_client_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto err;
}
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- pms, pmslen);
- OPENSSL_clear_free(pms, pmslen);
- s->s3->tmp.pms = NULL;
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0550471..54c902d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4291,3 +4291,18 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
} else
return RAND_bytes(result, len);
}
+
+int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
+ int free_pms)
+{
+ s->session->master_key_length =
+ s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,
+ pms, pmslen);
+ if (free_pms)
+ OPENSSL_clear_free(pms, pmslen);
+ else
+ OPENSSL_cleanse(pms, pmslen);
+ if (s->server == 0)
+ s->s3->tmp.pms = NULL;
+ return s->session->master_key_length >= 0;
+}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 203e894..cbe80eb 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2381,15 +2381,7 @@ int ssl3_get_client_key_exchange(SSL *s)
rand_premaster_secret[j]);
}
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- p,
- sizeof
- (rand_premaster_secret));
- OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, p, sizeof(rand_premaster_secret), 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
@@ -2480,13 +2472,7 @@ int ssl3_get_client_key_exchange(SSL *s)
else
BN_clear_free(pub);
pub = NULL;
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- p, i);
- OPENSSL_cleanse(p, i);
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, p, i, 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
@@ -2618,15 +2604,7 @@ int ssl3_get_client_key_exchange(SSL *s)
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
- /* Compute the master secret */
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- p, i);
-
- OPENSSL_cleanse(p, i);
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, p, i, 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
@@ -2707,22 +2685,17 @@ int ssl3_get_client_key_exchange(SSL *s)
goto psk_err;
}
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- psk_or_pre_ms,
- pre_ms_len);
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, psk_or_pre_ms, pre_ms_len, 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto psk_err;
+ goto f_err;
}
psk_err = 0;
psk_err:
- OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
- if (psk_err != 0)
+ if (psk_err != 0) {
+ OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
goto f_err;
+ }
} else
#endif
#ifndef OPENSSL_NO_SRP
@@ -2755,9 +2728,7 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err;
}
- if ((s->session->master_key_length =
- SRP_generate_server_master_secret(s,
- s->session->master_key)) < 0) {
+ if (!srp_generate_server_master_secret(s)) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -2813,13 +2784,8 @@ int ssl3_get_client_key_exchange(SSL *s)
goto gerr;
}
/* Generate master secret */
- s->session->master_key_length =
- s->method->ssl3_enc->generate_master_secret(s,
- s->
- session->master_key,
- premaster_secret, 32);
- OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret));
- if (s->session->master_key_length < 0) {
+ if (!ssl_generate_master_secret(s, premaster_secret,
+ sizeof(premaster_secret), 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 8f8d997..3507d9a 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1890,6 +1890,8 @@ __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
+__owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
+ int free_pms);
__owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
@@ -2159,6 +2161,8 @@ void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
EVP_MD_CTX *mac_ctx, const unsigned char *data,
size_t data_len, size_t orig_len);
+__owur int srp_generate_server_master_secret(SSL *s);
+__owur int srp_generate_client_master_secret(SSL *s);
__owur int srp_verify_server_param(SSL *s, int *al);
/* t1_ext.c */
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 6bd7845..91b88cd 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -332,7 +332,7 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
return 1;
}
-int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
+int srp_generate_server_master_secret(SSL *s)
{
BIGNUM *K = NULL, *u = NULL;
int ret = -1, tmp_len = 0;
@@ -350,17 +350,15 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
goto err;
BN_bn2bin(K, tmp);
- ret = s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
- tmp_len);
+ ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
err:
- OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(u);
return ret;
}
/* client side */
-int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
+int srp_generate_client_master_secret(SSL *s)
{
BIGNUM *x = NULL, *u = NULL, *K = NULL;
int ret = -1, tmp_len = 0;
@@ -391,11 +389,8 @@ int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
goto err;
BN_bn2bin(K, tmp);
- ret =
- s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
- tmp_len);
+ ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
err:
- OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K);
BN_clear_free(x);
OPENSSL_clear_free(passwd, strlen(passwd));
diff --git a/util/ssleay.num b/util/ssleay.num
index 1441be7..ddaf306 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -286,11 +286,11 @@ SSL_CTX_set_srp_username 329 EXIST::FUNCTION:SRP
SSL_CTX_SRP_CTX_init 330 EXIST::FUNCTION:SRP
SSL_SRP_CTX_init 331 EXIST::FUNCTION:SRP
SRP_Calc_A_param 332 EXIST::FUNCTION:SRP
-SRP_generate_server_master_secret 333 EXIST:!VMS:FUNCTION:SRP
-SRP_gen_server_master_secret 333 EXIST:VMS:FUNCTION:SRP
+SRP_gen_server_master_secret 333 NOEXIST::FUNCTION:
+SRP_generate_server_master_secret 333 NOEXIST::FUNCTION:
SSL_CTX_SRP_CTX_free 334 EXIST::FUNCTION:SRP
-SRP_generate_client_master_secret 335 EXIST:!VMS:FUNCTION:SRP
-SRP_gen_client_master_secret 335 EXIST:VMS:FUNCTION:SRP
+SRP_gen_client_master_secret 335 NOEXIST::FUNCTION:
+SRP_generate_client_master_secret 335 NOEXIST::FUNCTION:
SSL_srp_server_param_with_username 336 EXIST:!VMS:FUNCTION:SRP
SSL_srp_server_param_with_un 336 EXIST:VMS:FUNCTION:SRP
SRP_have_to_put_srp_username 337 NOEXIST::FUNCTION:
More information about the openssl-commits
mailing list