aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2016-05-03 18:02:01 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2016-05-03 18:02:01 +0000
commit47b11f985b9e0ff561a67e19674de6fbcf79281d (patch)
treeda6c0490c1781cf42777777890fc53da00f780ed /ssl
parent8f9fae4c4537bd423d1a266b3280c396a2e90f44 (diff)
downloadsrc-47b11f985b9e0ff561a67e19674de6fbcf79281d.tar.gz
src-47b11f985b9e0ff561a67e19674de6fbcf79281d.zip
Import OpenSSL 1.0.1t.vendor/openssl/1.0.1t
Notes
Notes: svn path=/vendor-crypto/openssl/dist-1.0.1/; revision=298993 svn path=/vendor-crypto/openssl/1.0.1t/; revision=298994; tag=vendor/openssl/1.0.1t
Diffstat (limited to 'ssl')
-rw-r--r--ssl/d1_both.c2
-rw-r--r--ssl/s2_lib.c16
-rw-r--r--ssl/s2_meth.c14
-rw-r--r--ssl/s3_clnt.c2
-rw-r--r--ssl/s3_lib.c88
-rw-r--r--ssl/ssl.h4
-rw-r--r--ssl/ssl_ciph.c16
-rw-r--r--ssl/ssl_locl.h3
-rw-r--r--ssl/t1_lib.c6
9 files changed, 85 insertions, 66 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index aaa18677ceef..19c3da616122 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1579,6 +1579,8 @@ int dtls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding
*/
buffer = OPENSSL_malloc(write_length);
+ if (buffer == NULL)
+ return -1;
bp = buffer;
/* Enter response type, length and copy payload */
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 82c173154980..7bcb81a11e2c 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_IDEA,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
0,
56,
56,
@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_3DES,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
0,
112,
168,
@@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL2_CF_8_BYTE_ENC,
64,
64,
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index b312f1726612..73885b7ecff8 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -57,7 +57,8 @@
*/
#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
+#ifndef OPENSSL_NO_SSL2_METHOD
+# ifndef OPENSSL_NO_SSL2
# include <stdio.h>
# include <openssl/objects.h>
@@ -72,7 +73,16 @@ static const SSL_METHOD *ssl2_get_method(int ver)
IMPLEMENT_ssl2_meth_func(SSLv2_method,
ssl2_accept, ssl2_connect, ssl2_get_method)
-#else /* !OPENSSL_NO_SSL2 */
+
+# else /* !OPENSSL_NO_SSL2 */
+
+const SSL_METHOD *SSLv2_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
+
+# endif
+
+#else /* !OPENSSL_NO_SSL2_METHOD */
# if PEDANTIC
static void *dummy = &dummy;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cfa5080e6b77..9e5875f1f9ba 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
+ xn = NULL;
p += l;
nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
err:
s->state = SSL_ST_ERR;
done:
+ X509_NAME_free(xn);
if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index a48f2b652a15..35d6587da951 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -404,7 +404,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -422,7 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -475,7 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -509,7 +509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -527,7 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -561,7 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -578,7 +578,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -595,7 +595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -700,7 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -766,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -832,7 +832,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -850,7 +850,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -868,7 +868,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -886,7 +886,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -904,7 +904,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -922,7 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -1016,7 +1016,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1111,7 +1111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1307,7 +1307,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1327,7 +1327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1343,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2,
SSL_MD5,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1361,7 +1361,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -1379,7 +1379,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -1397,7 +1397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1415,7 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1530,7 +1530,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1546,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1865,7 +1865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2045,7 +2045,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2061,7 +2061,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2414,7 +2414,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2446,7 +2446,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2462,7 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 105047ee4d5e..d6c475c27c08 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -334,7 +334,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
@@ -2017,7 +2017,7 @@ const char *SSL_get_version(const SSL *s);
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index cb559d987f60..56dd43721e10 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
- {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
- SSL_EXP_MASK, 0, 0, 0},
+ {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@@ -1000,10 +999,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength);
#endif
- if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
- goto ok;
- if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
- goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1020,10 +1015,11 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue;
+ if ((algo_strength & SSL_NOT_DEFAULT)
+ && !(cp->algo_strength & SSL_NOT_DEFAULT))
+ continue;
}
- ok:
-
#ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule);
#endif
@@ -1307,6 +1303,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ca_list[j]->algo_strength & SSL_STRONG_MASK;
}
+ if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
+ algo_strength |= SSL_NOT_DEFAULT;
+ }
+
if (ca_list[j]->valid) {
/*
* explicit ciphersuite found; its protocol version does not
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index f5d9df6bc0e6..d57b902fabbf 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -435,8 +435,9 @@
# define SSL_MEDIUM 0x00000040L
# define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L
+# define SSL_NOT_DEFAULT 0x00000200L
-/* we have used 000001ff - 23 bits left to go */
+/* we have used 000003ff - 22 bits left to go */
/*-
* Macros to check the export status and cipher strength for export ciphers.
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2e9b65b3fdce..0bdb77d49fc3 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2321,8 +2321,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
sdec = OPENSSL_malloc(eticklen);
- if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
+ if (sdec == NULL
+ || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
EVP_CIPHER_CTX_cleanup(&ctx);
+ OPENSSL_free(sdec);
return -1;
}
if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
@@ -2579,6 +2581,8 @@ int tls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+ if (buffer == NULL)
+ return -1;
bp = buffer;
/* Enter response type, length and copy payload */