diff options
| author | jsing <> | 2014-05-29 16:00:16 +0000 |
|---|---|---|
| committer | jsing <> | 2014-05-29 16:00:16 +0000 |
| commit | 523d54282c543c650be946602c618cf48ec008de (patch) | |
| tree | e07ac6c4959ebe2e5276d36c944d7ec20c8f2f6d | |
| parent | 58eb928f74719c054467fb1c9ed254eab20bf136 (diff) | |
| download | openbsd-523d54282c543c650be946602c618cf48ec008de.tar.gz openbsd-523d54282c543c650be946602c618cf48ec008de.tar.bz2 openbsd-523d54282c543c650be946602c618cf48ec008de.zip | |
Make it substantially easier to identify protocol version requirements
by adding an enc_flags field to the ssl3_enc_method, specifying four flags
that are used with this field and providing macros for evaluating these
conditions. Currently the version requirements are identified by
continually checking the version number and other criteria.
This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2,
since they have different enc_flags from TLS v1.
Based on changes in OpenSSL head.
No objection from miod@
| -rw-r--r-- | src/lib/libssl/d1_lib.c | 1 | ||||
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 2 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/d1_lib.c | 1 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_lib.c | 2 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 1 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 37 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_clnt.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 38 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_meth.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_srvr.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 1 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 37 | ||||
| -rw-r--r-- | src/lib/libssl/t1_clnt.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 38 | ||||
| -rw-r--r-- | src/lib/libssl/t1_meth.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/t1_srvr.c | 4 |
16 files changed, 164 insertions, 18 deletions
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c index 87bc9b68c6..4ee3e36168 100644 --- a/src/lib/libssl/d1_lib.c +++ b/src/lib/libssl/d1_lib.c | |||
| @@ -86,6 +86,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data = { | |||
| 86 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | 86 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, |
| 87 | .alert_value = tls1_alert_code, | 87 | .alert_value = tls1_alert_code, |
| 88 | .export_keying_material = tls1_export_keying_material, | 88 | .export_keying_material = tls1_export_keying_material, |
| 89 | .enc_flags = SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV, | ||
| 89 | }; | 90 | }; |
| 90 | 91 | ||
| 91 | long | 92 | long |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 2f4ab38863..e3770bd0ae 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -2270,6 +2270,7 @@ SSL3_ENC_METHOD SSLv3_enc_data = { | |||
| 2270 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, | 2270 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, |
| 2271 | const char *, size_t, const unsigned char *, size_t, | 2271 | const char *, size_t, const unsigned char *, size_t, |
| 2272 | int use_context))ssl_undefined_function, | 2272 | int use_context))ssl_undefined_function, |
| 2273 | .enc_flags = 0, | ||
| 2273 | }; | 2274 | }; |
| 2274 | 2275 | ||
| 2275 | long | 2276 | long |
| @@ -3062,7 +3063,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
| 3062 | emask_k = cert->export_mask_k; | 3063 | emask_k = cert->export_mask_k; |
| 3063 | emask_a = cert->export_mask_a; | 3064 | emask_a = cert->export_mask_a; |
| 3064 | 3065 | ||
| 3065 | |||
| 3066 | alg_k = c->algorithm_mkey; | 3066 | alg_k = c->algorithm_mkey; |
| 3067 | alg_a = c->algorithm_auth; | 3067 | alg_a = c->algorithm_auth; |
| 3068 | 3068 | ||
diff --git a/src/lib/libssl/src/ssl/d1_lib.c b/src/lib/libssl/src/ssl/d1_lib.c index 87bc9b68c6..4ee3e36168 100644 --- a/src/lib/libssl/src/ssl/d1_lib.c +++ b/src/lib/libssl/src/ssl/d1_lib.c | |||
| @@ -86,6 +86,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data = { | |||
| 86 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | 86 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, |
| 87 | .alert_value = tls1_alert_code, | 87 | .alert_value = tls1_alert_code, |
| 88 | .export_keying_material = tls1_export_keying_material, | 88 | .export_keying_material = tls1_export_keying_material, |
| 89 | .enc_flags = SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV, | ||
| 89 | }; | 90 | }; |
| 90 | 91 | ||
| 91 | long | 92 | long |
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 2f4ab38863..e3770bd0ae 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c | |||
| @@ -2270,6 +2270,7 @@ SSL3_ENC_METHOD SSLv3_enc_data = { | |||
| 2270 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, | 2270 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, |
| 2271 | const char *, size_t, const unsigned char *, size_t, | 2271 | const char *, size_t, const unsigned char *, size_t, |
| 2272 | int use_context))ssl_undefined_function, | 2272 | int use_context))ssl_undefined_function, |
| 2273 | .enc_flags = 0, | ||
| 2273 | }; | 2274 | }; |
| 2274 | 2275 | ||
| 2275 | long | 2276 | long |
| @@ -3062,7 +3063,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
| 3062 | emask_k = cert->export_mask_k; | 3063 | emask_k = cert->export_mask_k; |
| 3063 | emask_a = cert->export_mask_a; | 3064 | emask_a = cert->export_mask_a; |
| 3064 | 3065 | ||
| 3065 | |||
| 3066 | alg_k = c->algorithm_mkey; | 3066 | alg_k = c->algorithm_mkey; |
| 3067 | alg_a = c->algorithm_auth; | 3067 | alg_a = c->algorithm_auth; |
| 3068 | 3068 | ||
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index f1c92ee2f6..6cc02c8d7a 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -182,6 +182,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { | |||
| 182 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, | 182 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, |
| 183 | const char *, size_t, const unsigned char *, size_t, | 183 | const char *, size_t, const unsigned char *, size_t, |
| 184 | int use_context))ssl_undefined_function, | 184 | int use_context))ssl_undefined_function, |
| 185 | .enc_flags = 0, | ||
| 185 | }; | 186 | }; |
| 186 | 187 | ||
| 187 | int | 188 | int |
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 464a4a88fe..11250ba468 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
| @@ -408,8 +408,20 @@ | |||
| 408 | (c)->algo_strength) | 408 | (c)->algo_strength) |
| 409 | #define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength) | 409 | #define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength) |
| 410 | 410 | ||
| 411 | /* Check if an SSL structure is using DTLS. */ | ||
| 412 | #define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) | ||
| 411 | 413 | ||
| 414 | /* See if we need explicit IV. */ | ||
| 415 | #define SSL_USE_EXPLICIT_IV(s) \ | ||
| 416 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) | ||
| 412 | 417 | ||
| 418 | /* See if we use signature algorithms extension. */ | ||
| 419 | #define SSL_USE_SIGALGS(s) \ | ||
| 420 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) | ||
| 421 | |||
| 422 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ | ||
| 423 | #define SSL_USE_TLS1_2_CIPHERS(s) \ | ||
| 424 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) | ||
| 413 | 425 | ||
| 414 | /* Mostly for SSLv3 */ | 426 | /* Mostly for SSLv3 */ |
| 415 | #define SSL_PKEY_RSA_ENC 0 | 427 | #define SSL_PKEY_RSA_ENC 0 |
| @@ -535,8 +547,29 @@ typedef struct ssl3_enc_method { | |||
| 535 | int (*export_keying_material)(SSL *, unsigned char *, size_t, | 547 | int (*export_keying_material)(SSL *, unsigned char *, size_t, |
| 536 | const char *, size_t, const unsigned char *, size_t, | 548 | const char *, size_t, const unsigned char *, size_t, |
| 537 | int use_context); | 549 | int use_context); |
| 550 | /* Flags indicating protocol version requirements. */ | ||
| 551 | unsigned int enc_flags; | ||
| 538 | } SSL3_ENC_METHOD; | 552 | } SSL3_ENC_METHOD; |
| 539 | 553 | ||
| 554 | /* | ||
| 555 | * Flag values for enc_flags. | ||
| 556 | */ | ||
| 557 | |||
| 558 | /* Uses explicit IV. */ | ||
| 559 | #define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) | ||
| 560 | |||
| 561 | /* Uses signature algorithms extension. */ | ||
| 562 | #define SSL_ENC_FLAG_SIGALGS (1 << 1) | ||
| 563 | |||
| 564 | /* Uses SHA256 default PRF. */ | ||
| 565 | #define SSL_ENC_FLAG_SHA256_PRF (1 << 2) | ||
| 566 | |||
| 567 | /* Is DTLS. */ | ||
| 568 | #define SSL_ENC_FLAG_DTLS (1 << 3) | ||
| 569 | |||
| 570 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ | ||
| 571 | #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) | ||
| 572 | |||
| 540 | #ifndef OPENSSL_NO_COMP | 573 | #ifndef OPENSSL_NO_COMP |
| 541 | /* Used for holding the relevant compression methods loaded into SSL_CTX */ | 574 | /* Used for holding the relevant compression methods loaded into SSL_CTX */ |
| 542 | typedef struct ssl3_comp_st { | 575 | typedef struct ssl3_comp_st { |
| @@ -552,11 +585,11 @@ extern SSL_CIPHER ssl3_ciphers[]; | |||
| 552 | SSL_METHOD *ssl_bad_method(int ver); | 585 | SSL_METHOD *ssl_bad_method(int ver); |
| 553 | 586 | ||
| 554 | extern SSL3_ENC_METHOD TLSv1_enc_data; | 587 | extern SSL3_ENC_METHOD TLSv1_enc_data; |
| 588 | extern SSL3_ENC_METHOD TLSv1_1_enc_data; | ||
| 589 | extern SSL3_ENC_METHOD TLSv1_2_enc_data; | ||
| 555 | extern SSL3_ENC_METHOD SSLv3_enc_data; | 590 | extern SSL3_ENC_METHOD SSLv3_enc_data; |
| 556 | extern SSL3_ENC_METHOD DTLSv1_enc_data; | 591 | extern SSL3_ENC_METHOD DTLSv1_enc_data; |
| 557 | 592 | ||
| 558 | #define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) | ||
| 559 | |||
| 560 | void ssl_clear_cipher_ctx(SSL *s); | 593 | void ssl_clear_cipher_ctx(SSL *s); |
| 561 | int ssl_clear_bad_session(SSL *s); | 594 | int ssl_clear_bad_session(SSL *s); |
| 562 | CERT *ssl_cert_new(void); | 595 | CERT *ssl_cert_new(void); |
diff --git a/src/lib/libssl/src/ssl/t1_clnt.c b/src/lib/libssl/src/ssl/t1_clnt.c index 2223422d93..39b1d2a324 100644 --- a/src/lib/libssl/src/ssl/t1_clnt.c +++ b/src/lib/libssl/src/ssl/t1_clnt.c | |||
| @@ -123,7 +123,7 @@ const SSL_METHOD TLSv1_1_client_method_data = { | |||
| 123 | .get_cipher = ssl3_get_cipher, | 123 | .get_cipher = ssl3_get_cipher, |
| 124 | .get_ssl_method = tls1_get_client_method, | 124 | .get_ssl_method = tls1_get_client_method, |
| 125 | .get_timeout = tls1_default_timeout, | 125 | .get_timeout = tls1_default_timeout, |
| 126 | .ssl3_enc = &TLSv1_enc_data, | 126 | .ssl3_enc = &TLSv1_1_enc_data, |
| 127 | .ssl_version = ssl_undefined_void_function, | 127 | .ssl_version = ssl_undefined_void_function, |
| 128 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 128 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 129 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 129 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -155,7 +155,7 @@ const SSL_METHOD TLSv1_2_client_method_data = { | |||
| 155 | .get_cipher = ssl3_get_cipher, | 155 | .get_cipher = ssl3_get_cipher, |
| 156 | .get_ssl_method = tls1_get_client_method, | 156 | .get_ssl_method = tls1_get_client_method, |
| 157 | .get_timeout = tls1_default_timeout, | 157 | .get_timeout = tls1_default_timeout, |
| 158 | .ssl3_enc = &TLSv1_enc_data, | 158 | .ssl3_enc = &TLSv1_2_enc_data, |
| 159 | .ssl_version = ssl_undefined_void_function, | 159 | .ssl_version = ssl_undefined_void_function, |
| 160 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 160 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 161 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 161 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index 205c2558fb..1424eab6e6 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -140,6 +140,44 @@ SSL3_ENC_METHOD TLSv1_enc_data = { | |||
| 140 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | 140 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, |
| 141 | .alert_value = tls1_alert_code, | 141 | .alert_value = tls1_alert_code, |
| 142 | .export_keying_material = tls1_export_keying_material, | 142 | .export_keying_material = tls1_export_keying_material, |
| 143 | .enc_flags = 0, | ||
| 144 | }; | ||
| 145 | |||
| 146 | SSL3_ENC_METHOD TLSv1_1_enc_data = { | ||
| 147 | .enc = tls1_enc, | ||
| 148 | .mac = tls1_mac, | ||
| 149 | .setup_key_block = tls1_setup_key_block, | ||
| 150 | .generate_master_secret = tls1_generate_master_secret, | ||
| 151 | .change_cipher_state = tls1_change_cipher_state, | ||
| 152 | .final_finish_mac = tls1_final_finish_mac, | ||
| 153 | .finish_mac_length = TLS1_FINISH_MAC_LENGTH, | ||
| 154 | .cert_verify_mac = tls1_cert_verify_mac, | ||
| 155 | .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, | ||
| 156 | .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, | ||
| 157 | .server_finished_label = TLS_MD_SERVER_FINISH_CONST, | ||
| 158 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | ||
| 159 | .alert_value = tls1_alert_code, | ||
| 160 | .export_keying_material = tls1_export_keying_material, | ||
| 161 | .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, | ||
| 162 | }; | ||
| 163 | |||
| 164 | SSL3_ENC_METHOD TLSv1_2_enc_data = { | ||
| 165 | .enc = tls1_enc, | ||
| 166 | .mac = tls1_mac, | ||
| 167 | .setup_key_block = tls1_setup_key_block, | ||
| 168 | .generate_master_secret = tls1_generate_master_secret, | ||
| 169 | .change_cipher_state = tls1_change_cipher_state, | ||
| 170 | .final_finish_mac = tls1_final_finish_mac, | ||
| 171 | .finish_mac_length = TLS1_FINISH_MAC_LENGTH, | ||
| 172 | .cert_verify_mac = tls1_cert_verify_mac, | ||
| 173 | .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, | ||
| 174 | .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, | ||
| 175 | .server_finished_label = TLS_MD_SERVER_FINISH_CONST, | ||
| 176 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | ||
| 177 | .alert_value = tls1_alert_code, | ||
| 178 | .export_keying_material = tls1_export_keying_material, | ||
| 179 | .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| | ||
| 180 | SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, | ||
| 143 | }; | 181 | }; |
| 144 | 182 | ||
| 145 | long | 183 | long |
diff --git a/src/lib/libssl/src/ssl/t1_meth.c b/src/lib/libssl/src/ssl/t1_meth.c index b39303b369..6bdffd2332 100644 --- a/src/lib/libssl/src/ssl/t1_meth.c +++ b/src/lib/libssl/src/ssl/t1_meth.c | |||
| @@ -120,7 +120,7 @@ const SSL_METHOD TLSv1_1_method_data = { | |||
| 120 | .get_cipher = ssl3_get_cipher, | 120 | .get_cipher = ssl3_get_cipher, |
| 121 | .get_ssl_method = tls1_get_method, | 121 | .get_ssl_method = tls1_get_method, |
| 122 | .get_timeout = tls1_default_timeout, | 122 | .get_timeout = tls1_default_timeout, |
| 123 | .ssl3_enc = &TLSv1_enc_data, | 123 | .ssl3_enc = &TLSv1_1_enc_data, |
| 124 | .ssl_version = ssl_undefined_void_function, | 124 | .ssl_version = ssl_undefined_void_function, |
| 125 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 125 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 126 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 126 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -152,7 +152,7 @@ const SSL_METHOD TLSv1_2_method_data = { | |||
| 152 | .get_cipher = ssl3_get_cipher, | 152 | .get_cipher = ssl3_get_cipher, |
| 153 | .get_ssl_method = tls1_get_method, | 153 | .get_ssl_method = tls1_get_method, |
| 154 | .get_timeout = tls1_default_timeout, | 154 | .get_timeout = tls1_default_timeout, |
| 155 | .ssl3_enc = &TLSv1_enc_data, | 155 | .ssl3_enc = &TLSv1_2_enc_data, |
| 156 | .ssl_version = ssl_undefined_void_function, | 156 | .ssl_version = ssl_undefined_void_function, |
| 157 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 157 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 158 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 158 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
diff --git a/src/lib/libssl/src/ssl/t1_srvr.c b/src/lib/libssl/src/ssl/t1_srvr.c index d38afc5a21..721b190a84 100644 --- a/src/lib/libssl/src/ssl/t1_srvr.c +++ b/src/lib/libssl/src/ssl/t1_srvr.c | |||
| @@ -124,7 +124,7 @@ const SSL_METHOD TLSv1_1_server_method_data = { | |||
| 124 | .get_cipher = ssl3_get_cipher, | 124 | .get_cipher = ssl3_get_cipher, |
| 125 | .get_ssl_method = tls1_get_server_method, | 125 | .get_ssl_method = tls1_get_server_method, |
| 126 | .get_timeout = tls1_default_timeout, | 126 | .get_timeout = tls1_default_timeout, |
| 127 | .ssl3_enc = &TLSv1_enc_data, | 127 | .ssl3_enc = &TLSv1_1_enc_data, |
| 128 | .ssl_version = ssl_undefined_void_function, | 128 | .ssl_version = ssl_undefined_void_function, |
| 129 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 129 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 130 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 130 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -156,7 +156,7 @@ const SSL_METHOD TLSv1_2_server_method_data = { | |||
| 156 | .get_cipher = ssl3_get_cipher, | 156 | .get_cipher = ssl3_get_cipher, |
| 157 | .get_ssl_method = tls1_get_server_method, | 157 | .get_ssl_method = tls1_get_server_method, |
| 158 | .get_timeout = tls1_default_timeout, | 158 | .get_timeout = tls1_default_timeout, |
| 159 | .ssl3_enc = &TLSv1_enc_data, | 159 | .ssl3_enc = &TLSv1_2_enc_data, |
| 160 | .ssl_version = ssl_undefined_void_function, | 160 | .ssl_version = ssl_undefined_void_function, |
| 161 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 161 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 162 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 162 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f1c92ee2f6..6cc02c8d7a 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -182,6 +182,7 @@ SSL3_ENC_METHOD ssl3_undef_enc_method = { | |||
| 182 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, | 182 | .export_keying_material = (int (*)(SSL *, unsigned char *, size_t, |
| 183 | const char *, size_t, const unsigned char *, size_t, | 183 | const char *, size_t, const unsigned char *, size_t, |
| 184 | int use_context))ssl_undefined_function, | 184 | int use_context))ssl_undefined_function, |
| 185 | .enc_flags = 0, | ||
| 185 | }; | 186 | }; |
| 186 | 187 | ||
| 187 | int | 188 | int |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 464a4a88fe..11250ba468 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -408,8 +408,20 @@ | |||
| 408 | (c)->algo_strength) | 408 | (c)->algo_strength) |
| 409 | #define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength) | 409 | #define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength) |
| 410 | 410 | ||
| 411 | /* Check if an SSL structure is using DTLS. */ | ||
| 412 | #define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) | ||
| 411 | 413 | ||
| 414 | /* See if we need explicit IV. */ | ||
| 415 | #define SSL_USE_EXPLICIT_IV(s) \ | ||
| 416 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV) | ||
| 412 | 417 | ||
| 418 | /* See if we use signature algorithms extension. */ | ||
| 419 | #define SSL_USE_SIGALGS(s) \ | ||
| 420 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS) | ||
| 421 | |||
| 422 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ | ||
| 423 | #define SSL_USE_TLS1_2_CIPHERS(s) \ | ||
| 424 | (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) | ||
| 413 | 425 | ||
| 414 | /* Mostly for SSLv3 */ | 426 | /* Mostly for SSLv3 */ |
| 415 | #define SSL_PKEY_RSA_ENC 0 | 427 | #define SSL_PKEY_RSA_ENC 0 |
| @@ -535,8 +547,29 @@ typedef struct ssl3_enc_method { | |||
| 535 | int (*export_keying_material)(SSL *, unsigned char *, size_t, | 547 | int (*export_keying_material)(SSL *, unsigned char *, size_t, |
| 536 | const char *, size_t, const unsigned char *, size_t, | 548 | const char *, size_t, const unsigned char *, size_t, |
| 537 | int use_context); | 549 | int use_context); |
| 550 | /* Flags indicating protocol version requirements. */ | ||
| 551 | unsigned int enc_flags; | ||
| 538 | } SSL3_ENC_METHOD; | 552 | } SSL3_ENC_METHOD; |
| 539 | 553 | ||
| 554 | /* | ||
| 555 | * Flag values for enc_flags. | ||
| 556 | */ | ||
| 557 | |||
| 558 | /* Uses explicit IV. */ | ||
| 559 | #define SSL_ENC_FLAG_EXPLICIT_IV (1 << 0) | ||
| 560 | |||
| 561 | /* Uses signature algorithms extension. */ | ||
| 562 | #define SSL_ENC_FLAG_SIGALGS (1 << 1) | ||
| 563 | |||
| 564 | /* Uses SHA256 default PRF. */ | ||
| 565 | #define SSL_ENC_FLAG_SHA256_PRF (1 << 2) | ||
| 566 | |||
| 567 | /* Is DTLS. */ | ||
| 568 | #define SSL_ENC_FLAG_DTLS (1 << 3) | ||
| 569 | |||
| 570 | /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ | ||
| 571 | #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) | ||
| 572 | |||
| 540 | #ifndef OPENSSL_NO_COMP | 573 | #ifndef OPENSSL_NO_COMP |
| 541 | /* Used for holding the relevant compression methods loaded into SSL_CTX */ | 574 | /* Used for holding the relevant compression methods loaded into SSL_CTX */ |
| 542 | typedef struct ssl3_comp_st { | 575 | typedef struct ssl3_comp_st { |
| @@ -552,11 +585,11 @@ extern SSL_CIPHER ssl3_ciphers[]; | |||
| 552 | SSL_METHOD *ssl_bad_method(int ver); | 585 | SSL_METHOD *ssl_bad_method(int ver); |
| 553 | 586 | ||
| 554 | extern SSL3_ENC_METHOD TLSv1_enc_data; | 587 | extern SSL3_ENC_METHOD TLSv1_enc_data; |
| 588 | extern SSL3_ENC_METHOD TLSv1_1_enc_data; | ||
| 589 | extern SSL3_ENC_METHOD TLSv1_2_enc_data; | ||
| 555 | extern SSL3_ENC_METHOD SSLv3_enc_data; | 590 | extern SSL3_ENC_METHOD SSLv3_enc_data; |
| 556 | extern SSL3_ENC_METHOD DTLSv1_enc_data; | 591 | extern SSL3_ENC_METHOD DTLSv1_enc_data; |
| 557 | 592 | ||
| 558 | #define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) | ||
| 559 | |||
| 560 | void ssl_clear_cipher_ctx(SSL *s); | 593 | void ssl_clear_cipher_ctx(SSL *s); |
| 561 | int ssl_clear_bad_session(SSL *s); | 594 | int ssl_clear_bad_session(SSL *s); |
| 562 | CERT *ssl_cert_new(void); | 595 | CERT *ssl_cert_new(void); |
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c index 2223422d93..39b1d2a324 100644 --- a/src/lib/libssl/t1_clnt.c +++ b/src/lib/libssl/t1_clnt.c | |||
| @@ -123,7 +123,7 @@ const SSL_METHOD TLSv1_1_client_method_data = { | |||
| 123 | .get_cipher = ssl3_get_cipher, | 123 | .get_cipher = ssl3_get_cipher, |
| 124 | .get_ssl_method = tls1_get_client_method, | 124 | .get_ssl_method = tls1_get_client_method, |
| 125 | .get_timeout = tls1_default_timeout, | 125 | .get_timeout = tls1_default_timeout, |
| 126 | .ssl3_enc = &TLSv1_enc_data, | 126 | .ssl3_enc = &TLSv1_1_enc_data, |
| 127 | .ssl_version = ssl_undefined_void_function, | 127 | .ssl_version = ssl_undefined_void_function, |
| 128 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 128 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 129 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 129 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -155,7 +155,7 @@ const SSL_METHOD TLSv1_2_client_method_data = { | |||
| 155 | .get_cipher = ssl3_get_cipher, | 155 | .get_cipher = ssl3_get_cipher, |
| 156 | .get_ssl_method = tls1_get_client_method, | 156 | .get_ssl_method = tls1_get_client_method, |
| 157 | .get_timeout = tls1_default_timeout, | 157 | .get_timeout = tls1_default_timeout, |
| 158 | .ssl3_enc = &TLSv1_enc_data, | 158 | .ssl3_enc = &TLSv1_2_enc_data, |
| 159 | .ssl_version = ssl_undefined_void_function, | 159 | .ssl_version = ssl_undefined_void_function, |
| 160 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 160 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 161 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 161 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 205c2558fb..1424eab6e6 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -140,6 +140,44 @@ SSL3_ENC_METHOD TLSv1_enc_data = { | |||
| 140 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | 140 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, |
| 141 | .alert_value = tls1_alert_code, | 141 | .alert_value = tls1_alert_code, |
| 142 | .export_keying_material = tls1_export_keying_material, | 142 | .export_keying_material = tls1_export_keying_material, |
| 143 | .enc_flags = 0, | ||
| 144 | }; | ||
| 145 | |||
| 146 | SSL3_ENC_METHOD TLSv1_1_enc_data = { | ||
| 147 | .enc = tls1_enc, | ||
| 148 | .mac = tls1_mac, | ||
| 149 | .setup_key_block = tls1_setup_key_block, | ||
| 150 | .generate_master_secret = tls1_generate_master_secret, | ||
| 151 | .change_cipher_state = tls1_change_cipher_state, | ||
| 152 | .final_finish_mac = tls1_final_finish_mac, | ||
| 153 | .finish_mac_length = TLS1_FINISH_MAC_LENGTH, | ||
| 154 | .cert_verify_mac = tls1_cert_verify_mac, | ||
| 155 | .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, | ||
| 156 | .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, | ||
| 157 | .server_finished_label = TLS_MD_SERVER_FINISH_CONST, | ||
| 158 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | ||
| 159 | .alert_value = tls1_alert_code, | ||
| 160 | .export_keying_material = tls1_export_keying_material, | ||
| 161 | .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, | ||
| 162 | }; | ||
| 163 | |||
| 164 | SSL3_ENC_METHOD TLSv1_2_enc_data = { | ||
| 165 | .enc = tls1_enc, | ||
| 166 | .mac = tls1_mac, | ||
| 167 | .setup_key_block = tls1_setup_key_block, | ||
| 168 | .generate_master_secret = tls1_generate_master_secret, | ||
| 169 | .change_cipher_state = tls1_change_cipher_state, | ||
| 170 | .final_finish_mac = tls1_final_finish_mac, | ||
| 171 | .finish_mac_length = TLS1_FINISH_MAC_LENGTH, | ||
| 172 | .cert_verify_mac = tls1_cert_verify_mac, | ||
| 173 | .client_finished_label = TLS_MD_CLIENT_FINISH_CONST, | ||
| 174 | .client_finished_label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, | ||
| 175 | .server_finished_label = TLS_MD_SERVER_FINISH_CONST, | ||
| 176 | .server_finished_label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, | ||
| 177 | .alert_value = tls1_alert_code, | ||
| 178 | .export_keying_material = tls1_export_keying_material, | ||
| 179 | .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| | ||
| 180 | SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, | ||
| 143 | }; | 181 | }; |
| 144 | 182 | ||
| 145 | long | 183 | long |
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c index b39303b369..6bdffd2332 100644 --- a/src/lib/libssl/t1_meth.c +++ b/src/lib/libssl/t1_meth.c | |||
| @@ -120,7 +120,7 @@ const SSL_METHOD TLSv1_1_method_data = { | |||
| 120 | .get_cipher = ssl3_get_cipher, | 120 | .get_cipher = ssl3_get_cipher, |
| 121 | .get_ssl_method = tls1_get_method, | 121 | .get_ssl_method = tls1_get_method, |
| 122 | .get_timeout = tls1_default_timeout, | 122 | .get_timeout = tls1_default_timeout, |
| 123 | .ssl3_enc = &TLSv1_enc_data, | 123 | .ssl3_enc = &TLSv1_1_enc_data, |
| 124 | .ssl_version = ssl_undefined_void_function, | 124 | .ssl_version = ssl_undefined_void_function, |
| 125 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 125 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 126 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 126 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -152,7 +152,7 @@ const SSL_METHOD TLSv1_2_method_data = { | |||
| 152 | .get_cipher = ssl3_get_cipher, | 152 | .get_cipher = ssl3_get_cipher, |
| 153 | .get_ssl_method = tls1_get_method, | 153 | .get_ssl_method = tls1_get_method, |
| 154 | .get_timeout = tls1_default_timeout, | 154 | .get_timeout = tls1_default_timeout, |
| 155 | .ssl3_enc = &TLSv1_enc_data, | 155 | .ssl3_enc = &TLSv1_2_enc_data, |
| 156 | .ssl_version = ssl_undefined_void_function, | 156 | .ssl_version = ssl_undefined_void_function, |
| 157 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 157 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 158 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 158 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c index d38afc5a21..721b190a84 100644 --- a/src/lib/libssl/t1_srvr.c +++ b/src/lib/libssl/t1_srvr.c | |||
| @@ -124,7 +124,7 @@ const SSL_METHOD TLSv1_1_server_method_data = { | |||
| 124 | .get_cipher = ssl3_get_cipher, | 124 | .get_cipher = ssl3_get_cipher, |
| 125 | .get_ssl_method = tls1_get_server_method, | 125 | .get_ssl_method = tls1_get_server_method, |
| 126 | .get_timeout = tls1_default_timeout, | 126 | .get_timeout = tls1_default_timeout, |
| 127 | .ssl3_enc = &TLSv1_enc_data, | 127 | .ssl3_enc = &TLSv1_1_enc_data, |
| 128 | .ssl_version = ssl_undefined_void_function, | 128 | .ssl_version = ssl_undefined_void_function, |
| 129 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 129 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 130 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 130 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |
| @@ -156,7 +156,7 @@ const SSL_METHOD TLSv1_2_server_method_data = { | |||
| 156 | .get_cipher = ssl3_get_cipher, | 156 | .get_cipher = ssl3_get_cipher, |
| 157 | .get_ssl_method = tls1_get_server_method, | 157 | .get_ssl_method = tls1_get_server_method, |
| 158 | .get_timeout = tls1_default_timeout, | 158 | .get_timeout = tls1_default_timeout, |
| 159 | .ssl3_enc = &TLSv1_enc_data, | 159 | .ssl3_enc = &TLSv1_2_enc_data, |
| 160 | .ssl_version = ssl_undefined_void_function, | 160 | .ssl_version = ssl_undefined_void_function, |
| 161 | .ssl_callback_ctrl = ssl3_callback_ctrl, | 161 | .ssl_callback_ctrl = ssl3_callback_ctrl, |
| 162 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, | 162 | .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl, |