[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Fri Nov 27 17:25:23 UTC 2015
The branch master has been updated
via 2a9b96548afc0d540ab873a31dc1a72c66cba434 (commit)
from 9689a6aeed4ef7a2357cb95191b4313175440e4c (commit)
- Log -----------------------------------------------------------------
commit 2a9b96548afc0d540ab873a31dc1a72c66cba434
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 24 13:52:07 2015 +0000
Updates to GOST2012
Various updates following feedback from the recent commit of the new
GOST2012 code.
Reviewed-by: Andy Polyakov <appro at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_lib.c | 8 ++++----
ssl/ssl_lib.c | 2 ++
ssl/statem/statem_clnt.c | 18 ++++++++----------
ssl/statem/statem_lib.c | 5 ++++-
ssl/statem/statem_srvr.c | 19 +++++++++++--------
ssl/t1_trce.c | 34 +++++++++++++++++-----------------
6 files changed, 46 insertions(+), 40 deletions(-)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8c1b4aa..bf7336c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1144,7 +1144,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
},
/* GOST Ciphersuites */
-
+#ifndef OPENSL_NO_GOST
{
1,
"GOST2001-GOST89-GOST89",
@@ -1173,7 +1173,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
0,
0
},
-
+#endif
#ifndef OPENSSL_NO_CAMELLIA
/* Camellia ciphersuites from RFC4132 (256-bit portion) */
@@ -3769,7 +3769,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
256,
256,
},
-
+#ifndef OPENSSL_NO_GOST
{
1,
"GOST2012-GOST8912-GOST8912",
@@ -3796,7 +3796,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256,
0,
0},
-
+#endif
/* end of list */
};
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index e02b049..a9370dc 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2068,6 +2068,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa);
#endif
+#ifndef OPENSSL_NO_GOST
cpk = &(c->pkeys[SSL_PKEY_GOST12_512]);
if (cpk->x509 != NULL && cpk->privatekey != NULL) {
mask_k |= SSL_kGOST;
@@ -2083,6 +2084,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher)
mask_k |= SSL_kGOST;
mask_a |= SSL_aGOST01;
}
+#endif
if (rsa_enc || (rsa_tmp && rsa_sign))
mask_k |= SSL_kRSA;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index c6bc86f..527101b 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2715,6 +2715,7 @@ psk_err:
EVP_PKEY_free(srvr_pub_pkey);
}
#endif /* !OPENSSL_NO_EC */
+#ifndef OPENSSL_NO_GOST
else if (alg_k & SSL_kGOST) {
/* GOST key exchange message creation */
EVP_PKEY_CTX *pkey_ctx;
@@ -2836,6 +2837,7 @@ psk_err:
EVP_PKEY_free(pub_key);
}
+#endif
#ifndef OPENSSL_NO_SRP
else if (alg_k & SSL_kSRP) {
if (s->srp_ctx.A != NULL) {
@@ -2964,7 +2966,7 @@ int tls_construct_client_verify(SSL *s)
const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
EVP_MD_CTX mctx;
unsigned u = 0;
- unsigned long n;
+ unsigned long n = 0;
long hdatalen = 0;
void *hdata;
@@ -2984,6 +2986,7 @@ int tls_construct_client_verify(SSL *s)
goto err;
}
p += 2;
+ n = 2;
}
#ifdef SSL_DEBUG
fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
@@ -2998,21 +3001,16 @@ int tls_construct_client_verify(SSL *s)
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
goto err;
}
+#ifndef OPENSSL_NO_GOST
if (pkey->type == NID_id_GostR3410_2001
|| pkey->type == NID_id_GostR3410_2012_256
|| pkey->type == NID_id_GostR3410_2012_512) {
- unsigned int i, k;
- for (i = u - 1, k = 0; k < u/2; k++, i--) {
- char c = p[2 + k];
- p[2 + k] = p[2 + i];
- p[2 + i] = c;
- }
+ BUF_reverse(p + 2, NULL, u);
}
+#endif
s2n(u, p);
- n = u + 2;
- if (SSL_USE_SIGALGS(s))
- n += 2;
+ n += u + 2;
/* Digest cached records and discard handshake buffer */
if (!ssl3_digest_cached_records(s, 0))
goto err;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 24bbded..ab860f6 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -623,13 +623,16 @@ int ssl_cert_type(X509 *x, EVP_PKEY *pkey)
ret = SSL_PKEY_ECC;
}
#endif
+#ifndef OPENSSL_NO_GOST
else if (i == NID_id_GostR3410_2001) {
ret = SSL_PKEY_GOST01;
} else if (i == NID_id_GostR3410_2012_256) {
ret = SSL_PKEY_GOST12_256;
} else if (i == NID_id_GostR3410_2012_512) {
ret = SSL_PKEY_GOST12_512;
- } else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX)) {
+ }
+#endif
+ else if (x && (i == EVP_PKEY_DH || i == EVP_PKEY_DHX)) {
/*
* For DH two cases: DH certificate signed with RSA and DH
* certificate signed with DSA.
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index d114621..dcfb44f 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2761,6 +2761,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
}
} else
#endif /* OPENSSL_NO_SRP */
+#ifndef OPENSSL_NO_GOST
if (alg_k & SSL_kGOST) {
EVP_PKEY_CTX *pkey_ctx;
EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
@@ -2854,7 +2855,9 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
EVP_PKEY_free(client_pub_pkey);
EVP_PKEY_CTX_free(pkey_ctx);
goto f_err;
- } else {
+ } else
+#endif
+ {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
goto f_err;
@@ -2988,9 +2991,12 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
* If key is GOST and n is exactly 64, it is bare signature without
* length field (CryptoPro implementations at least till CSP 4.0)
*/
+#ifndef OPENSSL_NO_GOST
if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) {
len = 64;
- } else {
+ } else
+#endif
+ {
if (SSL_USE_SIGALGS(s)) {
int rv;
@@ -3049,16 +3055,13 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
goto f_err;
}
+#ifndef OPENSSL_NO_GOST
if (pkey->type == NID_id_GostR3410_2001
|| pkey->type == NID_id_GostR3410_2012_256
|| pkey->type == NID_id_GostR3410_2012_512) {
- unsigned int j1, j2;
- for (j1 = len - 1, j2 = 0; j2 < len/2; j2++, j1--) {
- char c = data[j2];
- data[j2] = data[j1];
- data[j1] = c;
- }
+ BUF_reverse(data, NULL, len);
}
+#endif
if (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(&mctx, EVP_CTRL_SSL3_MASTER_SECRET,
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index dc595ac..3a4f039 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -537,26 +537,26 @@ static ssl_trace_tbl ssl_point_tbl[] = {
};
static ssl_trace_tbl ssl_md_tbl[] = {
- {0, "none"},
- {1, "md5"},
- {2, "sha1"},
- {3, "sha224"},
- {4, "sha256"},
- {5, "sha384"},
- {6, "sha512"},
- {237, "md_gost94"},
- {238, "md_gost2012_256"},
- {239, "md_gost2012_512"},
+ {TLSEXT_hash_none, "none"},
+ {TLSEXT_hash_md5, "md5"},
+ {TLSEXT_hash_sha1, "sha1"},
+ {TLSEXT_hash_sha224, "sha224"},
+ {TLSEXT_hash_sha256, "sha256"},
+ {TLSEXT_hash_sha384, "sha384"},
+ {TLSEXT_hash_sha512, "sha512"},
+ {TLSEXT_hash_gostr3411, "md_gost94"},
+ {TLSEXT_hash_gostr34112012_256, "md_gost2012_256"},
+ {TLSEXT_hash_gostr34112012_512, "md_gost2012_512"}
};
static ssl_trace_tbl ssl_sig_tbl[] = {
- {0, "anonymous"},
- {1, "rsa"},
- {2, "dsa"},
- {3, "ecdsa"},
- {237, "gost2001"},
- {238, "gost2012_256"},
- {239, "gost2012_512"},
+ {TLSEXT_signature_anonymous, "anonymous"},
+ {TLSEXT_signature_rsa, "rsa"},
+ {TLSEXT_signature_dsa, "dsa"},
+ {TLSEXT_signature_ecdsa, "ecdsa"},
+ {TLSEXT_signature_gostr34102001, "gost2001"},
+ {TLSEXT_signature_gostr34102012_256, "gost2012_256"},
+ {TLSEXT_signature_gostr34102012_512, "gost2012_512"}
};
static ssl_trace_tbl ssl_hb_tbl[] = {
More information about the openssl-commits
mailing list