summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2014-04-18 21:19:20 +0000
committertedu <>2014-04-18 21:19:20 +0000
commite8a4b91de8e814e5c5c14a4606081bac4fd958bb (patch)
treeebf82b9d93da4f9c8e6c280b1c47a8bff3fa7ab1 /src
parent3003b76c7c4042048bfe7a344d529ec0f03dd638 (diff)
downloadopenbsd-e8a4b91de8e814e5c5c14a4606081bac4fd958bb.tar.gz
openbsd-e8a4b91de8e814e5c5c14a4606081bac4fd958bb.tar.bz2
openbsd-e8a4b91de8e814e5c5c14a4606081bac4fd958bb.zip
now that knf carpet bombing is finished, switch to hand to hand combat.
still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/src/ssl/t1_enc.c157
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c182
-rw-r--r--src/lib/libssl/t1_enc.c157
-rw-r--r--src/lib/libssl/t1_lib.c182
4 files changed, 332 insertions, 346 deletions
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index fb471b2f14..fc7a23fb4b 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -219,9 +219,8 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
219 /* calc the next A1 value */ 219 /* calc the next A1 value */
220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) 220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len))
221 goto err; 221 goto err;
222 } 222 } else {
223 else /* last one */ 223 /* last one */
224 {
225 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 224 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
226 goto err; 225 goto err;
227 memcpy(out, A1, olen); 226 memcpy(out, A1, olen);
@@ -269,10 +268,10 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
269 goto err; 268 goto err;
270 269
271 } 270 }
272 if (!tls1_P_hash(md , S1, len + (slen&1), 271 if (!tls1_P_hash(md , S1, len + (slen&1), seed1,
273 seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, 272 seed1_len, seed2, seed2_len, seed3, seed3_len,
274 out2, olen)) 273 seed4, seed4_len, seed5, seed5_len, out2, olen))
275 goto err; 274 goto err;
276 S1 += len; 275 S1 += len;
277 for (i = 0; i < olen; i++) { 276 for (i = 0; i < olen; i++) {
278 out1[i] ^= out2[i]; 277 out1[i] ^= out2[i];
@@ -288,13 +287,14 @@ static int
288tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) 287tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num)
289{ 288{
290 int ret; 289 int ret;
290
291 ret = tls1_PRF(ssl_get_algorithm2(s), 291 ret = tls1_PRF(ssl_get_algorithm2(s),
292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, 292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
293 s->s3->server_random, SSL3_RANDOM_SIZE, 293 s->s3->server_random, SSL3_RANDOM_SIZE,
294 s->s3->client_random, SSL3_RANDOM_SIZE, 294 s->s3->client_random, SSL3_RANDOM_SIZE,
295 NULL, 0, NULL, 0, 295 NULL, 0, NULL, 0,
296 s->session->master_key, s->session->master_key_length, 296 s->session->master_key, s->session->master_key_length,
297 km, tmp, num); 297 km, tmp, num);
298#ifdef KSSL_DEBUG 298#ifdef KSSL_DEBUG
299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
300 s->session->master_key_length); 300 s->session->master_key_length);
@@ -369,9 +369,10 @@ tls1_change_cipher_state(SSL *s, int which)
369 reuse_dd = 1; 369 reuse_dd = 1;
370 else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 370 else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
371 goto err; 371 goto err;
372 else 372 else {
373 /* make sure it's intialized in case we exit later with an error */ 373 /* make sure it's intialized in case we exit later with an error */
374 EVP_CIPHER_CTX_init(s->enc_read_ctx); 374 EVP_CIPHER_CTX_init(s->enc_read_ctx);
375 }
375 dd = s->enc_read_ctx; 376 dd = s->enc_read_ctx;
376 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 377 mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
377#ifndef OPENSSL_NO_COMP 378#ifndef OPENSSL_NO_COMP
@@ -386,8 +387,7 @@ tls1_change_cipher_state(SSL *s, int which)
386 goto err2; 387 goto err2;
387 } 388 }
388 if (s->s3->rrec.comp == NULL) 389 if (s->s3->rrec.comp == NULL)
389 s->s3->rrec.comp = (unsigned char *) 390 s->s3->rrec.comp = malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
390 malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
391 if (s->s3->rrec.comp == NULL) 391 if (s->s3->rrec.comp == NULL)
392 goto err; 392 goto err;
393 } 393 }
@@ -438,11 +438,11 @@ tls1_change_cipher_state(SSL *s, int which)
438 EVP_CIPHER_CTX_cleanup(dd); 438 EVP_CIPHER_CTX_cleanup(dd);
439 439
440 p = s->s3->tmp.key_block; 440 p = s->s3->tmp.key_block;
441 i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; 441 i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
442 442
443 cl = EVP_CIPHER_key_length(c); 443 cl = EVP_CIPHER_key_length(c);
444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
447 /* If GCM mode only part of IV comes from PRF */ 447 /* If GCM mode only part of IV comes from PRF */
448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
@@ -480,7 +480,7 @@ tls1_change_cipher_state(SSL *s, int which)
480 480
481 memcpy(mac_secret, ms, i); 481 memcpy(mac_secret, ms, i);
482 482
483 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { 483 if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
485 mac_secret, *mac_secret_size); 485 mac_secret, *mac_secret_size);
486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); 486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key);
@@ -495,22 +495,22 @@ tls1_change_cipher_state(SSL *s, int which)
495 * same value since only the correct one will be used :-). 495 * same value since only the correct one will be used :-).
496 */ 496 */
497 if (!tls1_PRF(ssl_get_algorithm2(s), 497 if (!tls1_PRF(ssl_get_algorithm2(s),
498 exp_label, exp_label_len, 498 exp_label, exp_label_len,
499 s->s3->client_random, SSL3_RANDOM_SIZE, 499 s->s3->client_random, SSL3_RANDOM_SIZE,
500 s->s3->server_random, SSL3_RANDOM_SIZE, 500 s->s3->server_random, SSL3_RANDOM_SIZE,
501 NULL, 0, NULL, 0, 501 NULL, 0, NULL, 0,
502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) 502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
503 goto err2; 503 goto err2;
504 key = tmp1; 504 key = tmp1;
505 505
506 if (k > 0) { 506 if (k > 0) {
507 if (!tls1_PRF(ssl_get_algorithm2(s), 507 if (!tls1_PRF(ssl_get_algorithm2(s),
508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, 508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
509 s->s3->client_random, SSL3_RANDOM_SIZE, 509 s->s3->client_random, SSL3_RANDOM_SIZE,
510 s->s3->server_random, SSL3_RANDOM_SIZE, 510 s->s3->server_random, SSL3_RANDOM_SIZE,
511 NULL, 0, NULL, 0, 511 NULL, 0, NULL, 0,
512 empty, 0, iv1, iv2, k*2)) 512 empty, 0, iv1, iv2, k*2))
513 goto err2; 513 goto err2;
514 if (client_write) 514 if (client_write)
515 iv = iv1; 515 iv = iv1;
516 else 516 else
@@ -537,9 +537,9 @@ tls1_change_cipher_state(SSL *s, int which)
537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); 537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE));
538 538
539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
540 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) 540 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
542 *mac_secret_size, mac_secret); 542 *mac_secret_size, mac_secret);
543 543
544#ifdef TLS_DEBUG 544#ifdef TLS_DEBUG
545 printf("which = %04X\nkey=", which); 545 printf("which = %04X\nkey=", which);
@@ -588,7 +588,7 @@ tls1_setup_key_block(SSL *s)
588 s->s3->tmp.new_mac_pkey_type = mac_type; 588 s->s3->tmp.new_mac_pkey_type = mac_type;
589 s->s3->tmp.new_mac_secret_size = mac_secret_size; 589 s->s3->tmp.new_mac_secret_size = mac_secret_size;
590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); 590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
591 num*=2; 591 num *= 2;
592 592
593 ssl3_cleanup_key_block(s); 593 ssl3_cleanup_key_block(s);
594 594
@@ -620,8 +620,8 @@ tls1_setup_key_block(SSL *s)
620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); } 620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); }
621#endif 621#endif
622 622
623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
624 && s->method->version <= TLS1_VERSION) { 624 s->method->version <= TLS1_VERSION) {
625 /* enable vulnerability countermeasure for CBC ciphers with 625 /* enable vulnerability countermeasure for CBC ciphers with
626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
627 */ 627 */
@@ -678,8 +678,8 @@ tls1_enc(SSL *s, int send)
678 int ivlen; 678 int ivlen;
679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
680 /* For TLSv1.1 and later explicit IV */ 680 /* For TLSv1.1 and later explicit IV */
681 if (s->version >= TLS1_1_VERSION 681 if (s->version >= TLS1_1_VERSION &&
682 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 682 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
683 ivlen = EVP_CIPHER_iv_length(enc); 683 ivlen = EVP_CIPHER_iv_length(enc);
684 else 684 else
685 ivlen = 0; 685 ivlen = 0;
@@ -720,7 +720,7 @@ tls1_enc(SSL *s, int send)
720 l = rec->length; 720 l = rec->length;
721 bs = EVP_CIPHER_block_size(ds->cipher); 721 bs = EVP_CIPHER_block_size(ds->cipher);
722 722
723 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { 723 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
724 unsigned char buf[13], *seq; 724 unsigned char buf[13], *seq;
725 725
726 seq = send ? s->s3->write_sequence : s->s3->read_sequence; 726 seq = send ? s->s3->write_sequence : s->s3->read_sequence;
@@ -733,14 +733,10 @@ tls1_enc(SSL *s, int send)
733 memcpy(buf, dtlsseq, 8); 733 memcpy(buf, dtlsseq, 8);
734 } else { 734 } else {
735 memcpy(buf, seq, 8); 735 memcpy(buf, seq, 8);
736 for (i = 7; 736 for (i = 7; i >= 0; i--) { /* increment */
737 i >= 0;
738 i--) /* increment */
739 {
740 ++seq[i]; 737 ++seq[i];
741 if (seq[i] != 0) 738 if (seq[i] != 0)
742 break; 739 break;
743
744 } 740 }
745 } 741 }
746 742
@@ -748,7 +744,7 @@ tls1_enc(SSL *s, int send)
748 buf[9] = (unsigned char)(s->version >> 8); 744 buf[9] = (unsigned char)(s->version >> 8);
749 buf[10] = (unsigned char)(s->version); 745 buf[10] = (unsigned char)(s->version);
750 buf[11] = rec->length >> 8; 746 buf[11] = rec->length >> 8;
751 buf[12] = rec->length&0xff; 747 buf[12] = rec->length & 0xff;
752 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); 748 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
753 if (send) { 749 if (send) {
754 l += pad; 750 l += pad;
@@ -795,10 +791,9 @@ tls1_enc(SSL *s, int send)
795 } 791 }
796 792
797 i = EVP_Cipher(ds, rec->data, rec->input, l); 793 i = EVP_Cipher(ds, rec->data, rec->input, l);
798 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) 794 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ?
799 ?(i < 0) 795 (i < 0) : (i == 0))
800 :(i == 0)) 796 return -1; /* AEAD can fail to verify MAC */
801 return -1; /* AEAD can fail to verify MAC */
802 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { 797 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
803 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 798 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
804 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 799 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
@@ -837,7 +832,8 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
837 return 0; 832 return 0;
838 833
839 for (i = 0; i < SSL_MAX_DIGEST; i++) { 834 for (i = 0; i < SSL_MAX_DIGEST; i++) {
840 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 835 if (s->s3->handshake_dgst[i] &&
836 EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
841 d = s->s3->handshake_dgst[i]; 837 d = s->s3->handshake_dgst[i];
842 break; 838 break;
843 } 839 }
@@ -879,24 +875,25 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
879 if (mask & ssl_get_algorithm2(s)) { 875 if (mask & ssl_get_algorithm2(s)) {
880 int hashsize = EVP_MD_size(md); 876 int hashsize = EVP_MD_size(md);
881 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 877 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
882 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { 878 if (!hdgst || hashsize < 0 ||
879 hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
883 /* internal error: 'buf' is too small for this cipersuite! */ 880 /* internal error: 'buf' is too small for this cipersuite! */
884 err = 1; 881 err = 1;
885 } else { 882 } else {
886 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 883 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
887 !EVP_DigestFinal_ex(&ctx, q, &i) || 884 !EVP_DigestFinal_ex(&ctx, q, &i) ||
888 (i != (unsigned int)hashsize)) 885 (i != (unsigned int)hashsize))
889 err = 1; 886 err = 1;
890 q += hashsize; 887 q += hashsize;
891 } 888 }
892 } 889 }
893 } 890 }
894 891
895 if (!tls1_PRF(ssl_get_algorithm2(s), 892 if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf,(int)(q - buf),
896 str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, 893 NULL, 0, NULL, 0, NULL, 0,
897 s->session->master_key, s->session->master_key_length, 894 s->session->master_key, s->session->master_key_length,
898 out, buf2, sizeof buf2)) 895 out, buf2, sizeof buf2))
899 err = 1; 896 err = 1;
900 EVP_MD_CTX_cleanup(&ctx); 897 EVP_MD_CTX_cleanup(&ctx);
901 898
902 if (err) 899 if (err)
@@ -945,7 +942,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
945 unsigned char dtlsseq[8], *p = dtlsseq; 942 unsigned char dtlsseq[8], *p = dtlsseq;
946 943
947 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); 944 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p);
948 memcpy (p, &seq[2], 6); 945 memcpy(p, &seq[2], 6);
949 946
950 memcpy(header, dtlsseq, 8); 947 memcpy(header, dtlsseq, 8);
951 } else 948 } else
@@ -961,21 +958,18 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
961 header[11] = (rec->length) >> 8; 958 header[11] = (rec->length) >> 8;
962 header[12] = (rec->length)&0xff; 959 header[12] = (rec->length)&0xff;
963 960
964 if (!send && 961 if (!send && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
965 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 962 ssl3_cbc_record_digest_supported(mac_ctx)) {
966 ssl3_cbc_record_digest_supported(mac_ctx)) {
967 /* This is a CBC-encrypted record. We must avoid leaking any 963 /* This is a CBC-encrypted record. We must avoid leaking any
968 * timing-side channel information about how many blocks of 964 * timing-side channel information about how many blocks of
969 * data we are hashing because that gives an attacker a 965 * data we are hashing because that gives an attacker a
970 * timing-oracle. */ 966 * timing-oracle. */
971 ssl3_cbc_digest_record( 967 ssl3_cbc_digest_record(mac_ctx,
972 mac_ctx, 968 md, &md_size, header, rec->input,
973 md, &md_size, 969 rec->length + md_size, orig_len,
974 header, rec->input, 970 ssl->s3->read_mac_secret,
975 rec->length + md_size, orig_len, 971 ssl->s3->read_mac_secret_size,
976 ssl->s3->read_mac_secret, 972 0 /* not SSLv3 */);
977 ssl->s3->read_mac_secret_size,
978 0 /* not SSLv3 */);
979 } else { 973 } else {
980 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); 974 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
981 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); 975 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
@@ -1001,7 +995,6 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
1001 ++seq[i]; 995 ++seq[i];
1002 if (seq[i] != 0) 996 if (seq[i] != 0)
1003 break; 997 break;
1004
1005 } 998 }
1006 } 999 }
1007 1000
@@ -1115,20 +1108,20 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1115 * comparisons won't have buffer overflow 1108 * comparisons won't have buffer overflow
1116 */ 1109 */
1117 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1110 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
1118 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; 1111 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
1112 goto err1;
1119 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1113 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
1120 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; 1114 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
1115 goto err1;
1121 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1116 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
1122 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; 1117 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
1118 goto err1;
1123 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1119 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
1124 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; 1120 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
1121 goto err1;
1125 1122
1126 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 1123 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
1127 val, vallen, 1124 val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0,
1128 NULL, 0,
1129 NULL, 0,
1130 NULL, 0,
1131 NULL, 0,
1132 s->session->master_key, s->session->master_key_length, 1125 s->session->master_key, s->session->master_key_length,
1133 out, buff, olen); 1126 out, buff, olen);
1134 1127
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 6ee2289153..f6cfb508f6 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -152,8 +152,9 @@ tls1_default_timeout(void)
152int 152int
153tls1_new(SSL *s) 153tls1_new(SSL *s)
154{ 154{
155 if (!ssl3_new(s)) return (0); 155 if (!ssl3_new(s))
156 s->method->ssl_clear(s); 156 return (0);
157 s->method->ssl_clear(s);
157 return (1); 158 return (1);
158} 159}
159 160
@@ -349,13 +350,14 @@ unsigned char
349 unsigned char *ret = p; 350 unsigned char *ret = p;
350 351
351 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 352 /* don't add extensions for SSLv3 unless doing secure renegotiation */
352 if (s->client_version == SSL3_VERSION 353 if (s->client_version == SSL3_VERSION &&
353 && !s->s3->send_connection_binding) 354 !s->s3->send_connection_binding)
354 return p; 355 return p;
355 356
356 ret += 2; 357 ret += 2;
357 358
358 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 359 if (ret>=limit)
360 return NULL; /* this really never occurs, but ... */
359 361
360 if (s->tlsext_hostname != NULL) { 362 if (s->tlsext_hostname != NULL) {
361 /* Add TLS extension servername to the Client Hello message */ 363 /* Add TLS extension servername to the Client Hello message */
@@ -371,9 +373,9 @@ unsigned char
371 + hostname length 373 + hostname length
372 */ 374 */
373 375
374 if ((lenmax = limit - ret - 9) < 0 376 if ((lenmax = limit - ret - 9) < 0 ||
375 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 377 (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
376 return NULL; 378 return NULL;
377 379
378 /* extension type and length */ 380 /* extension type and length */
379 s2n(TLSEXT_TYPE_server_name, ret); 381 s2n(TLSEXT_TYPE_server_name, ret);
@@ -399,8 +401,8 @@ unsigned char
399 return NULL; 401 return NULL;
400 } 402 }
401 403
402 if ((limit - p - 4 - el) 404 if ((limit - p - 4 - el) < 0)
403 < 0) return NULL; 405 return NULL;
404 406
405 s2n(TLSEXT_TYPE_renegotiate, ret); 407 s2n(TLSEXT_TYPE_renegotiate, ret);
406 s2n(el, ret); 408 s2n(el, ret);
@@ -415,8 +417,8 @@ unsigned char
415 417
416#ifndef OPENSSL_NO_SRP 418#ifndef OPENSSL_NO_SRP
417 /* Add SRP username if there is one */ 419 /* Add SRP username if there is one */
418 if (s->srp_ctx.login != NULL) 420 if (s->srp_ctx.login != NULL) {
419 { /* Add TLS extension SRP username to the Client Hello message */ 421 /* Add TLS extension SRP username to the Client Hello message */
420 422
421 int login_len = strlen(s->srp_ctx.login); 423 int login_len = strlen(s->srp_ctx.login);
422 424
@@ -430,8 +432,8 @@ unsigned char
430 1 for the srp user identity 432 1 for the srp user identity
431 + srp user identity length 433 + srp user identity length
432 */ 434 */
433 if ((limit - ret - 5 - login_len) 435 if ((limit - ret - 5 - login_len) < 0)
434 < 0) return NULL; 436 return NULL;
435 437
436 438
437 /* fill in the extension */ 439 /* fill in the extension */
@@ -445,16 +447,16 @@ unsigned char
445 447
446#ifndef OPENSSL_NO_EC 448#ifndef OPENSSL_NO_EC
447 if (s->tlsext_ecpointformatlist != NULL && 449 if (s->tlsext_ecpointformatlist != NULL &&
448 s->version != DTLS1_VERSION) { 450 s->version != DTLS1_VERSION) {
449 /* Add TLS extension ECPointFormats to the ClientHello message */ 451 /* Add TLS extension ECPointFormats to the ClientHello message */
450 long lenmax; 452 long lenmax;
451 453
454 if ((lenmax = limit - ret - 5) < 0)
455 return NULL;
452 456
453 if ((lenmax = limit - ret - 5) 457 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
454 < 0) return NULL; 458 return NULL;
455 459 if (s->tlsext_ecpointformatlist_length > 255) {
456 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
457 if (s->tlsext_ecpointformatlist_length > 255) {
458 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 460 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
459 return NULL; 461 return NULL;
460 } 462 }
@@ -466,11 +468,10 @@ unsigned char
466 ret += s->tlsext_ecpointformatlist_length; 468 ret += s->tlsext_ecpointformatlist_length;
467 } 469 }
468 if (s->tlsext_ellipticcurvelist != NULL && 470 if (s->tlsext_ellipticcurvelist != NULL &&
469 s->version != DTLS1_VERSION) { 471 s->version != DTLS1_VERSION) {
470 /* Add TLS extension EllipticCurves to the ClientHello message */ 472 /* Add TLS extension EllipticCurves to the ClientHello message */
471 long lenmax; 473 long lenmax;
472 474
473
474 if ((lenmax = limit - ret - 6) 475 if ((lenmax = limit - ret - 6)
475 < 0) return NULL; 476 < 0) return NULL;
476 477
@@ -499,7 +500,7 @@ unsigned char
499 if (!s->new_session && s->session && s->session->tlsext_tick) 500 if (!s->new_session && s->session && s->session->tlsext_tick)
500 ticklen = s->session->tlsext_ticklen; 501 ticklen = s->session->tlsext_ticklen;
501 else if (s->session && s->tlsext_session_ticket && 502 else if (s->session && s->tlsext_session_ticket &&
502 s->tlsext_session_ticket->data) { 503 s->tlsext_session_ticket->data) {
503 ticklen = s->tlsext_session_ticket->length; 504 ticklen = s->tlsext_session_ticket->length;
504 s->session->tlsext_tick = malloc(ticklen); 505 s->session->tlsext_tick = malloc(ticklen);
505 if (!s->session->tlsext_tick) 506 if (!s->session->tlsext_tick)
@@ -511,13 +512,14 @@ unsigned char
511 } else 512 } else
512 ticklen = 0; 513 ticklen = 0;
513 if (ticklen == 0 && s->tlsext_session_ticket && 514 if (ticklen == 0 && s->tlsext_session_ticket &&
514 s->tlsext_session_ticket->data == NULL) 515 s->tlsext_session_ticket->data == NULL)
515 goto skip_ext; 516 goto skip_ext;
516 /* Check for enough room 2 for extension type, 2 for len 517 /* Check for enough room 2 for extension type, 2 for len
517 * rest for ticket 518 * rest for ticket
518 */ 519 */
519 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 520 if ((long)(limit - ret - 4 - ticklen) < 0)
520 s2n(TLSEXT_TYPE_session_ticket, ret); 521 return NULL;
522 s2n(TLSEXT_TYPE_session_ticket, ret);
521 523
522 s2n(ticklen, ret); 524 s2n(ticklen, ret);
523 if (ticklen) { 525 if (ticklen) {
@@ -525,7 +527,7 @@ unsigned char
525 ret += ticklen; 527 ret += ticklen;
526 } 528 }
527 } 529 }
528 skip_ext: 530skip_ext:
529 531
530 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 532 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
531 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 533 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
@@ -558,7 +560,7 @@ unsigned char
558#endif 560#endif
559 561
560 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 562 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
561 s->version != DTLS1_VERSION) { 563 s->version != DTLS1_VERSION) {
562 int i; 564 int i;
563 long extlen, idlen, itmp; 565 long extlen, idlen, itmp;
564 OCSP_RESPID *id; 566 OCSP_RESPID *id;
@@ -579,8 +581,9 @@ unsigned char
579 } else 581 } else
580 extlen = 0; 582 extlen = 0;
581 583
582 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 584 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
583 s2n(TLSEXT_TYPE_status_request, ret); 585 return NULL;
586 s2n(TLSEXT_TYPE_status_request, ret);
584 if (extlen + idlen > 0xFFF0) 587 if (extlen + idlen > 0xFFF0)
585 return NULL; 588 return NULL;
586 s2n(extlen + idlen + 5, ret); 589 s2n(extlen + idlen + 5, ret);
@@ -618,8 +621,8 @@ unsigned char
618 621
619 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 622 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
620 623
621 if ((limit - p - 4 - el) 624 if ((limit - p - 4 - el) < 0)
622 < 0) return NULL; 625 return NULL;
623 626
624 s2n(TLSEXT_TYPE_use_srtp, ret); 627 s2n(TLSEXT_TYPE_use_srtp, ret);
625 s2n(el, ret); 628 s2n(el, ret);
@@ -682,11 +685,12 @@ unsigned char
682 return p; 685 return p;
683 686
684 ret += 2; 687 ret += 2;
685 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 688 if (ret>=limit)
689 return NULL; /* this really never occurs, but ... */
686 690
687 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { 691 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) {
688 if ((long)(limit - ret - 4) < 0) return NULL; 692 if ((long)(limit - ret - 4) < 0)
689 693 return NULL;
690 694
691 s2n(TLSEXT_TYPE_server_name, ret); 695 s2n(TLSEXT_TYPE_server_name, ret);
692 s2n(0, ret); 696 s2n(0, ret);
@@ -724,8 +728,9 @@ unsigned char
724 if ((lenmax = limit - ret - 5) 728 if ((lenmax = limit - ret - 5)
725 < 0) return NULL; 729 < 0) return NULL;
726 730
727 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 731 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
728 if (s->tlsext_ecpointformatlist_length > 255) { 732 return NULL;
733 if (s->tlsext_ecpointformatlist_length > 255) {
729 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 734 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
730 return NULL; 735 return NULL;
731 } 736 }
@@ -740,24 +745,24 @@ unsigned char
740 /* Currently the server should not respond with a SupportedCurves extension */ 745 /* Currently the server should not respond with a SupportedCurves extension */
741#endif /* OPENSSL_NO_EC */ 746#endif /* OPENSSL_NO_EC */
742 747
743 if (s->tlsext_ticket_expected 748 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
744 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 749 if ((long)(limit - ret - 4) < 0)
745 if ((long)(limit - ret - 4) < 0) return NULL; 750 return NULL;
746 751
747 s2n(TLSEXT_TYPE_session_ticket, ret); 752 s2n(TLSEXT_TYPE_session_ticket, ret);
748 s2n(0, ret); 753 s2n(0, ret);
749 } 754 }
750 755
751 if (s->tlsext_status_expected) { 756 if (s->tlsext_status_expected) {
752 if ((long)(limit - ret - 4) < 0) return NULL; 757 if ((long)(limit - ret - 4) < 0)
758 return NULL;
753 759
754 s2n(TLSEXT_TYPE_status_request, ret); 760 s2n(TLSEXT_TYPE_status_request, ret);
755 s2n(0, ret); 761 s2n(0, ret);
756 } 762 }
757 763
758#ifdef TLSEXT_TYPE_opaque_prf_input 764#ifdef TLSEXT_TYPE_opaque_prf_input
759 if (s->s3->server_opaque_prf_input != NULL && 765 if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) {
760 s->version != DTLS1_VERSION) {
761 size_t sol = s->s3->server_opaque_prf_input_len; 766 size_t sol = s->s3->server_opaque_prf_input_len;
762 767
763 if ((long)(limit - ret - 6 - sol) < 0) 768 if ((long)(limit - ret - 6 - sol) < 0)
@@ -794,8 +799,9 @@ unsigned char
794 } 799 }
795#endif 800#endif
796 801
797 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 802 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
798 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 803 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
804 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
799 const unsigned char cryptopro_ext[36] = { 805 const unsigned char cryptopro_ext[36] = {
800 0xfd, 0xe8, /*65000*/ 806 0xfd, 0xe8, /*65000*/
801 0x00, 0x20, /*32 bytes length*/ 807 0x00, 0x20, /*32 bytes length*/
@@ -820,8 +826,9 @@ unsigned char
820 826
821 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 827 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
822 if (r == SSL_TLSEXT_ERR_OK) { 828 if (r == SSL_TLSEXT_ERR_OK) {
823 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 829 if ((long)(limit - ret - 4 - npalen) < 0)
824 s2n(TLSEXT_TYPE_next_proto_neg, ret); 830 return NULL;
831 s2n(TLSEXT_TYPE_next_proto_neg, ret);
825 s2n(npalen, ret); 832 s2n(npalen, ret);
826 memcpy(ret, npa, npalen); 833 memcpy(ret, npa, npalen);
827 ret += npalen; 834 ret += npalen;
@@ -987,7 +994,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
987 int servname_type; 994 int servname_type;
988 int dsize; 995 int dsize;
989 996
990
991 if (size < 2) { 997 if (size < 2) {
992 *al = SSL_AD_DECODE_ERROR; 998 *al = SSL_AD_DECODE_ERROR;
993 return 0; 999 return 0;
@@ -1013,7 +1019,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1013 } 1019 }
1014 if (s->servername_done == 0) 1020 if (s->servername_done == 0)
1015 switch (servname_type) { 1021 switch (servname_type) {
1016 case TLSEXT_NAMETYPE_host_name: 1022 case TLSEXT_NAMETYPE_host_name:
1017 if (!s->hit) { 1023 if (!s->hit) {
1018 if (s->session->tlsext_hostname) { 1024 if (s->session->tlsext_hostname) {
1019 *al = SSL_AD_DECODE_ERROR; 1025 *al = SSL_AD_DECODE_ERROR;
@@ -1038,14 +1044,14 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1038 s->servername_done = 1; 1044 s->servername_done = 1;
1039 1045
1040 1046
1041 } else 1047 } else {
1042 s->servername_done = s->session->tlsext_hostname 1048 s->servername_done = s->session->tlsext_hostname &&
1043 && strlen(s->session->tlsext_hostname) == len 1049 strlen(s->session->tlsext_hostname) == len &&
1044 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1050 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1045 1051 }
1046 break; 1052 break;
1047 1053
1048 default: 1054 default:
1049 break; 1055 break;
1050 } 1056 }
1051 1057
@@ -1285,12 +1291,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1285 return 0; 1291 return 0;
1286 } 1292 }
1287 } 1293 }
1288 } 1294 } else {
1289 /* We don't know what to do with any other type 1295 /* We don't know what to do with any other type
1290 * so ignore it. 1296 * so ignore it.
1291 */ 1297 */
1292 else
1293 s->tlsext_status_type = -1; 1298 s->tlsext_status_type = -1;
1299 }
1294 } 1300 }
1295#ifndef OPENSSL_NO_NEXTPROTONEG 1301#ifndef OPENSSL_NO_NEXTPROTONEG
1296 else if (type == TLSEXT_TYPE_next_proto_neg && 1302 else if (type == TLSEXT_TYPE_next_proto_neg &&
@@ -1317,9 +1323,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1317 /* session ticket processed earlier */ 1323 /* session ticket processed earlier */
1318#ifndef OPENSSL_NO_SRTP 1324#ifndef OPENSSL_NO_SRTP
1319 else if (type == TLSEXT_TYPE_use_srtp) { 1325 else if (type == TLSEXT_TYPE_use_srtp) {
1320 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, 1326 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1321 al)) 1327 return 0;
1322 return 0;
1323 } 1328 }
1324#endif 1329#endif
1325 1330
@@ -1404,7 +1409,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1404 tlsext_servername = 1; 1409 tlsext_servername = 1;
1405 1410
1406 } 1411 }
1407
1408#ifndef OPENSSL_NO_EC 1412#ifndef OPENSSL_NO_EC
1409 else if (type == TLSEXT_TYPE_ec_point_formats && 1413 else if (type == TLSEXT_TYPE_ec_point_formats &&
1410 s->version != DTLS1_VERSION) { 1414 s->version != DTLS1_VERSION) {
@@ -1434,15 +1438,13 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1434#endif 1438#endif
1435 } 1439 }
1436#endif /* OPENSSL_NO_EC */ 1440#endif /* OPENSSL_NO_EC */
1437
1438 else if (type == TLSEXT_TYPE_session_ticket) { 1441 else if (type == TLSEXT_TYPE_session_ticket) {
1439 if (s->tls_session_ticket_ext_cb && 1442 if (s->tls_session_ticket_ext_cb &&
1440 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1443 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1441 *al = TLS1_AD_INTERNAL_ERROR; 1444 *al = TLS1_AD_INTERNAL_ERROR;
1442 return 0; 1445 return 0;
1443 } 1446 }
1444 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1447 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1445 || (size > 0)) {
1446 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1448 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1447 return 0; 1449 return 0;
1448 } 1450 }
@@ -1450,7 +1452,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1450 } 1452 }
1451#ifdef TLSEXT_TYPE_opaque_prf_input 1453#ifdef TLSEXT_TYPE_opaque_prf_input
1452 else if (type == TLSEXT_TYPE_opaque_prf_input && 1454 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1453 s->version != DTLS1_VERSION) { 1455 s->version != DTLS1_VERSION) {
1454 unsigned char *sdata = data; 1456 unsigned char *sdata = data;
1455 1457
1456 if (size < 2) { 1458 if (size < 2) {
@@ -1477,7 +1479,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1477 } 1479 }
1478#endif 1480#endif
1479 else if (type == TLSEXT_TYPE_status_request && 1481 else if (type == TLSEXT_TYPE_status_request &&
1480 s->version != DTLS1_VERSION) { 1482 s->version != DTLS1_VERSION) {
1481 /* MUST be empty and only sent if we've requested 1483 /* MUST be empty and only sent if we've requested
1482 * a status request message. 1484 * a status request message.
1483 */ 1485 */
@@ -1490,7 +1492,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1490 } 1492 }
1491#ifndef OPENSSL_NO_NEXTPROTONEG 1493#ifndef OPENSSL_NO_NEXTPROTONEG
1492 else if (type == TLSEXT_TYPE_next_proto_neg && 1494 else if (type == TLSEXT_TYPE_next_proto_neg &&
1493 s->s3->tmp.finish_md_len == 0) { 1495 s->s3->tmp.finish_md_len == 0) {
1494 unsigned char *selected; 1496 unsigned char *selected;
1495 unsigned char selected_len; 1497 unsigned char selected_len;
1496 1498
@@ -1558,7 +1560,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1558 1560
1559 *p = data; 1561 *p = data;
1560 1562
1561 ri_check: 1563ri_check:
1562 1564
1563 /* Determine if we need to see RI. Strictly speaking if we want to 1565 /* Determine if we need to see RI. Strictly speaking if we want to
1564 * avoid an attack we should *always* see RI even on initial server 1566 * avoid an attack we should *always* see RI even on initial server
@@ -1567,8 +1569,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1567 * which doesn't support RI so for the immediate future tolerate RI 1569 * which doesn't support RI so for the immediate future tolerate RI
1568 * absence on initial connect only. 1570 * absence on initial connect only.
1569 */ 1571 */
1570 if (!renegotiate_seen 1572 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1571 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1572 *al = SSL_AD_HANDSHAKE_FAILURE; 1573 *al = SSL_AD_HANDSHAKE_FAILURE;
1573 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1574 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1574 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1575 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1578,7 +1579,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1578 return 1; 1579 return 1;
1579} 1580}
1580 1581
1581
1582int 1582int
1583ssl_prepare_clienthello_tlsext(SSL *s) 1583ssl_prepare_clienthello_tlsext(SSL *s)
1584{ 1584{
@@ -1597,7 +1597,8 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1597 1597
1598 alg_k = c->algorithm_mkey; 1598 alg_k = c->algorithm_mkey;
1599 alg_a = c->algorithm_auth; 1599 alg_a = c->algorithm_auth;
1600 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { 1600 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) ||
1601 (alg_a & SSL_aECDSA))) {
1601 using_ecc = 1; 1602 using_ecc = 1;
1602 break; 1603 break;
1603 } 1604 }
@@ -1625,9 +1626,8 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1625 return -1; 1626 return -1;
1626 } 1627 }
1627 for (i = 0, j = s->tlsext_ellipticcurvelist; 1628 for (i = 0, j = s->tlsext_ellipticcurvelist;
1628 (unsigned int)i < 1629 (unsigned int)i < sizeof(pref_list)/sizeof(pref_list[0]);
1629 sizeof(pref_list)/sizeof(pref_list[0]); 1630 i++) {
1630 i++) {
1631 int id = tls1_ec_nid2curve_id(pref_list[i]); 1631 int id = tls1_ec_nid2curve_id(pref_list[i]);
1632 s2n(id, j); 1632 s2n(id, j);
1633 } 1633 }
@@ -1659,9 +1659,11 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1659 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1659 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1660 } 1660 }
1661 1661
1662 if (r == 2) 1662 if (r == 2) {
1663 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1663 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1664 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1664 s->s3->server_opaque_prf_input_len =
1665 s->tlsext_opaque_prf_input_len;
1666 }
1665 } 1667 }
1666#endif 1668#endif
1667 1669
@@ -1743,7 +1745,7 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1743 1745
1744 if (s->tlsext_opaque_prf_input != NULL) { 1746 if (s->tlsext_opaque_prf_input != NULL) {
1745 if (s->s3->client_opaque_prf_input != NULL && 1747 if (s->s3->client_opaque_prf_input != NULL &&
1746 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { 1748 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) {
1747 /* can only use this extension if we have a server opaque PRF input 1749 /* can only use this extension if we have a server opaque PRF input
1748 * of the same length as the client opaque PRF input! */ 1750 * of the same length as the client opaque PRF input! */
1749 1751
@@ -1770,7 +1772,7 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1770 } 1772 }
1771 } 1773 }
1772 1774
1773 err: 1775err:
1774#endif 1776#endif
1775 switch (ret) { 1777 switch (ret) {
1776 case SSL_TLSEXT_ERR_ALERT_FATAL: 1778 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1842,12 +1844,10 @@ err:
1842 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1844 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1843 1845
1844 return -1; 1846 return -1;
1845
1846 case SSL_TLSEXT_ERR_ALERT_WARNING: 1847 case SSL_TLSEXT_ERR_ALERT_WARNING:
1847 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1848 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1848 return 1; 1849 return 1;
1849 1850
1850
1851 default: 1851 default:
1852 return 1; 1852 return 1;
1853 } 1853 }
@@ -1866,9 +1866,11 @@ ssl_check_serverhello_tlsext(SSL *s)
1866 */ 1866 */
1867 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1867 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1868 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1868 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1869 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1869 if ((s->tlsext_ecpointformatlist != NULL) &&
1870 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1870 (s->tlsext_ecpointformatlist_length > 0) &&
1871 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1871 (s->session->tlsext_ecpointformatlist != NULL) &&
1872 (s->session->tlsext_ecpointformatlist_length > 0) &&
1873 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1872 /* we are using an ECC cipher */ 1874 /* we are using an ECC cipher */
1873 size_t i; 1875 size_t i;
1874 unsigned char *list; 1876 unsigned char *list;
@@ -1943,12 +1945,10 @@ ssl_check_serverhello_tlsext(SSL *s)
1943 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1945 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1944 1946
1945 return -1; 1947 return -1;
1946
1947 case SSL_TLSEXT_ERR_ALERT_WARNING: 1948 case SSL_TLSEXT_ERR_ALERT_WARNING:
1948 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1949 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1949 return 1;
1950
1951 1950
1951 return 1;
1952 case SSL_TLSEXT_ERR_NOACK: 1952 case SSL_TLSEXT_ERR_NOACK:
1953 s->servername_done = 0; 1953 s->servername_done = 0;
1954 default: 1954 default:
@@ -2279,6 +2279,7 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2279 int i, idx; 2279 int i, idx;
2280 const EVP_MD *md; 2280 const EVP_MD *md;
2281 CERT *c = s->cert; 2281 CERT *c = s->cert;
2282
2282 /* Extension ignored for TLS versions below 1.2 */ 2283 /* Extension ignored for TLS versions below 1.2 */
2283 if (TLS1_get_version(s) < TLS1_2_VERSION) 2284 if (TLS1_get_version(s) < TLS1_2_VERSION)
2284 return 1; 2285 return 1;
@@ -2321,7 +2322,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2321 2322
2322 } 2323 }
2323 2324
2324
2325 /* Set any remaining keys to default values. NOTE: if alg is not 2325 /* Set any remaining keys to default values. NOTE: if alg is not
2326 * supported it stays as NULL. 2326 * supported it stays as NULL.
2327 */ 2327 */
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index fb471b2f14..fc7a23fb4b 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -219,9 +219,8 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len,
219 /* calc the next A1 value */ 219 /* calc the next A1 value */
220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) 220 if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len))
221 goto err; 221 goto err;
222 } 222 } else {
223 else /* last one */ 223 /* last one */
224 {
225 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 224 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
226 goto err; 225 goto err;
227 memcpy(out, A1, olen); 226 memcpy(out, A1, olen);
@@ -269,10 +268,10 @@ tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2,
269 goto err; 268 goto err;
270 269
271 } 270 }
272 if (!tls1_P_hash(md , S1, len + (slen&1), 271 if (!tls1_P_hash(md , S1, len + (slen&1), seed1,
273 seed1, seed1_len, seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, 272 seed1_len, seed2, seed2_len, seed3, seed3_len,
274 out2, olen)) 273 seed4, seed4_len, seed5, seed5_len, out2, olen))
275 goto err; 274 goto err;
276 S1 += len; 275 S1 += len;
277 for (i = 0; i < olen; i++) { 276 for (i = 0; i < olen; i++) {
278 out1[i] ^= out2[i]; 277 out1[i] ^= out2[i];
@@ -288,13 +287,14 @@ static int
288tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) 287tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num)
289{ 288{
290 int ret; 289 int ret;
290
291 ret = tls1_PRF(ssl_get_algorithm2(s), 291 ret = tls1_PRF(ssl_get_algorithm2(s),
292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, 292 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
293 s->s3->server_random, SSL3_RANDOM_SIZE, 293 s->s3->server_random, SSL3_RANDOM_SIZE,
294 s->s3->client_random, SSL3_RANDOM_SIZE, 294 s->s3->client_random, SSL3_RANDOM_SIZE,
295 NULL, 0, NULL, 0, 295 NULL, 0, NULL, 0,
296 s->session->master_key, s->session->master_key_length, 296 s->session->master_key, s->session->master_key_length,
297 km, tmp, num); 297 km, tmp, num);
298#ifdef KSSL_DEBUG 298#ifdef KSSL_DEBUG
299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 299 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
300 s->session->master_key_length); 300 s->session->master_key_length);
@@ -369,9 +369,10 @@ tls1_change_cipher_state(SSL *s, int which)
369 reuse_dd = 1; 369 reuse_dd = 1;
370 else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 370 else if ((s->enc_read_ctx = malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
371 goto err; 371 goto err;
372 else 372 else {
373 /* make sure it's intialized in case we exit later with an error */ 373 /* make sure it's intialized in case we exit later with an error */
374 EVP_CIPHER_CTX_init(s->enc_read_ctx); 374 EVP_CIPHER_CTX_init(s->enc_read_ctx);
375 }
375 dd = s->enc_read_ctx; 376 dd = s->enc_read_ctx;
376 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 377 mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
377#ifndef OPENSSL_NO_COMP 378#ifndef OPENSSL_NO_COMP
@@ -386,8 +387,7 @@ tls1_change_cipher_state(SSL *s, int which)
386 goto err2; 387 goto err2;
387 } 388 }
388 if (s->s3->rrec.comp == NULL) 389 if (s->s3->rrec.comp == NULL)
389 s->s3->rrec.comp = (unsigned char *) 390 s->s3->rrec.comp = malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
390 malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
391 if (s->s3->rrec.comp == NULL) 391 if (s->s3->rrec.comp == NULL)
392 goto err; 392 goto err;
393 } 393 }
@@ -438,11 +438,11 @@ tls1_change_cipher_state(SSL *s, int which)
438 EVP_CIPHER_CTX_cleanup(dd); 438 EVP_CIPHER_CTX_cleanup(dd);
439 439
440 p = s->s3->tmp.key_block; 440 p = s->s3->tmp.key_block;
441 i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; 441 i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
442 442
443 cl = EVP_CIPHER_key_length(c); 443 cl = EVP_CIPHER_key_length(c);
444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 444 j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 445 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 446 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
447 /* If GCM mode only part of IV comes from PRF */ 447 /* If GCM mode only part of IV comes from PRF */
448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 448 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
@@ -480,7 +480,7 @@ tls1_change_cipher_state(SSL *s, int which)
480 480
481 memcpy(mac_secret, ms, i); 481 memcpy(mac_secret, ms, i);
482 482
483 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { 483 if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 484 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
485 mac_secret, *mac_secret_size); 485 mac_secret, *mac_secret_size);
486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); 486 EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key);
@@ -495,22 +495,22 @@ tls1_change_cipher_state(SSL *s, int which)
495 * same value since only the correct one will be used :-). 495 * same value since only the correct one will be used :-).
496 */ 496 */
497 if (!tls1_PRF(ssl_get_algorithm2(s), 497 if (!tls1_PRF(ssl_get_algorithm2(s),
498 exp_label, exp_label_len, 498 exp_label, exp_label_len,
499 s->s3->client_random, SSL3_RANDOM_SIZE, 499 s->s3->client_random, SSL3_RANDOM_SIZE,
500 s->s3->server_random, SSL3_RANDOM_SIZE, 500 s->s3->server_random, SSL3_RANDOM_SIZE,
501 NULL, 0, NULL, 0, 501 NULL, 0, NULL, 0,
502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) 502 key, j, tmp1, tmp2, EVP_CIPHER_key_length(c)))
503 goto err2; 503 goto err2;
504 key = tmp1; 504 key = tmp1;
505 505
506 if (k > 0) { 506 if (k > 0) {
507 if (!tls1_PRF(ssl_get_algorithm2(s), 507 if (!tls1_PRF(ssl_get_algorithm2(s),
508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, 508 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE,
509 s->s3->client_random, SSL3_RANDOM_SIZE, 509 s->s3->client_random, SSL3_RANDOM_SIZE,
510 s->s3->server_random, SSL3_RANDOM_SIZE, 510 s->s3->server_random, SSL3_RANDOM_SIZE,
511 NULL, 0, NULL, 0, 511 NULL, 0, NULL, 0,
512 empty, 0, iv1, iv2, k*2)) 512 empty, 0, iv1, iv2, k*2))
513 goto err2; 513 goto err2;
514 if (client_write) 514 if (client_write)
515 iv = iv1; 515 iv = iv1;
516 else 516 else
@@ -537,9 +537,9 @@ tls1_change_cipher_state(SSL *s, int which)
537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); 537 EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE));
538 538
539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 539 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
540 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) 540 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 541 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
542 *mac_secret_size, mac_secret); 542 *mac_secret_size, mac_secret);
543 543
544#ifdef TLS_DEBUG 544#ifdef TLS_DEBUG
545 printf("which = %04X\nkey=", which); 545 printf("which = %04X\nkey=", which);
@@ -588,7 +588,7 @@ tls1_setup_key_block(SSL *s)
588 s->s3->tmp.new_mac_pkey_type = mac_type; 588 s->s3->tmp.new_mac_pkey_type = mac_type;
589 s->s3->tmp.new_mac_secret_size = mac_secret_size; 589 s->s3->tmp.new_mac_secret_size = mac_secret_size;
590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); 590 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
591 num*=2; 591 num *= 2;
592 592
593 ssl3_cleanup_key_block(s); 593 ssl3_cleanup_key_block(s);
594 594
@@ -620,8 +620,8 @@ tls1_setup_key_block(SSL *s)
620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); } 620 { int z; for (z = 0; z<num; z++) printf("%02X%c", p1[z],((z+1)%16)?' ':'\n'); }
621#endif 621#endif
622 622
623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 623 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
624 && s->method->version <= TLS1_VERSION) { 624 s->method->version <= TLS1_VERSION) {
625 /* enable vulnerability countermeasure for CBC ciphers with 625 /* enable vulnerability countermeasure for CBC ciphers with
626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 626 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
627 */ 627 */
@@ -678,8 +678,8 @@ tls1_enc(SSL *s, int send)
678 int ivlen; 678 int ivlen;
679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 679 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
680 /* For TLSv1.1 and later explicit IV */ 680 /* For TLSv1.1 and later explicit IV */
681 if (s->version >= TLS1_1_VERSION 681 if (s->version >= TLS1_1_VERSION &&
682 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 682 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
683 ivlen = EVP_CIPHER_iv_length(enc); 683 ivlen = EVP_CIPHER_iv_length(enc);
684 else 684 else
685 ivlen = 0; 685 ivlen = 0;
@@ -720,7 +720,7 @@ tls1_enc(SSL *s, int send)
720 l = rec->length; 720 l = rec->length;
721 bs = EVP_CIPHER_block_size(ds->cipher); 721 bs = EVP_CIPHER_block_size(ds->cipher);
722 722
723 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { 723 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
724 unsigned char buf[13], *seq; 724 unsigned char buf[13], *seq;
725 725
726 seq = send ? s->s3->write_sequence : s->s3->read_sequence; 726 seq = send ? s->s3->write_sequence : s->s3->read_sequence;
@@ -733,14 +733,10 @@ tls1_enc(SSL *s, int send)
733 memcpy(buf, dtlsseq, 8); 733 memcpy(buf, dtlsseq, 8);
734 } else { 734 } else {
735 memcpy(buf, seq, 8); 735 memcpy(buf, seq, 8);
736 for (i = 7; 736 for (i = 7; i >= 0; i--) { /* increment */
737 i >= 0;
738 i--) /* increment */
739 {
740 ++seq[i]; 737 ++seq[i];
741 if (seq[i] != 0) 738 if (seq[i] != 0)
742 break; 739 break;
743
744 } 740 }
745 } 741 }
746 742
@@ -748,7 +744,7 @@ tls1_enc(SSL *s, int send)
748 buf[9] = (unsigned char)(s->version >> 8); 744 buf[9] = (unsigned char)(s->version >> 8);
749 buf[10] = (unsigned char)(s->version); 745 buf[10] = (unsigned char)(s->version);
750 buf[11] = rec->length >> 8; 746 buf[11] = rec->length >> 8;
751 buf[12] = rec->length&0xff; 747 buf[12] = rec->length & 0xff;
752 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); 748 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf);
753 if (send) { 749 if (send) {
754 l += pad; 750 l += pad;
@@ -795,10 +791,9 @@ tls1_enc(SSL *s, int send)
795 } 791 }
796 792
797 i = EVP_Cipher(ds, rec->data, rec->input, l); 793 i = EVP_Cipher(ds, rec->data, rec->input, l);
798 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) 794 if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ?
799 ?(i < 0) 795 (i < 0) : (i == 0))
800 :(i == 0)) 796 return -1; /* AEAD can fail to verify MAC */
801 return -1; /* AEAD can fail to verify MAC */
802 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { 797 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) {
803 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 798 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
804 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 799 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
@@ -837,7 +832,8 @@ tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
837 return 0; 832 return 0;
838 833
839 for (i = 0; i < SSL_MAX_DIGEST; i++) { 834 for (i = 0; i < SSL_MAX_DIGEST; i++) {
840 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 835 if (s->s3->handshake_dgst[i] &&
836 EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
841 d = s->s3->handshake_dgst[i]; 837 d = s->s3->handshake_dgst[i];
842 break; 838 break;
843 } 839 }
@@ -879,24 +875,25 @@ tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
879 if (mask & ssl_get_algorithm2(s)) { 875 if (mask & ssl_get_algorithm2(s)) {
880 int hashsize = EVP_MD_size(md); 876 int hashsize = EVP_MD_size(md);
881 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 877 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
882 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { 878 if (!hdgst || hashsize < 0 ||
879 hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
883 /* internal error: 'buf' is too small for this cipersuite! */ 880 /* internal error: 'buf' is too small for this cipersuite! */
884 err = 1; 881 err = 1;
885 } else { 882 } else {
886 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 883 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
887 !EVP_DigestFinal_ex(&ctx, q, &i) || 884 !EVP_DigestFinal_ex(&ctx, q, &i) ||
888 (i != (unsigned int)hashsize)) 885 (i != (unsigned int)hashsize))
889 err = 1; 886 err = 1;
890 q += hashsize; 887 q += hashsize;
891 } 888 }
892 } 889 }
893 } 890 }
894 891
895 if (!tls1_PRF(ssl_get_algorithm2(s), 892 if (!tls1_PRF(ssl_get_algorithm2(s), str, slen, buf,(int)(q - buf),
896 str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, 893 NULL, 0, NULL, 0, NULL, 0,
897 s->session->master_key, s->session->master_key_length, 894 s->session->master_key, s->session->master_key_length,
898 out, buf2, sizeof buf2)) 895 out, buf2, sizeof buf2))
899 err = 1; 896 err = 1;
900 EVP_MD_CTX_cleanup(&ctx); 897 EVP_MD_CTX_cleanup(&ctx);
901 898
902 if (err) 899 if (err)
@@ -945,7 +942,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
945 unsigned char dtlsseq[8], *p = dtlsseq; 942 unsigned char dtlsseq[8], *p = dtlsseq;
946 943
947 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); 944 s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p);
948 memcpy (p, &seq[2], 6); 945 memcpy(p, &seq[2], 6);
949 946
950 memcpy(header, dtlsseq, 8); 947 memcpy(header, dtlsseq, 8);
951 } else 948 } else
@@ -961,21 +958,18 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
961 header[11] = (rec->length) >> 8; 958 header[11] = (rec->length) >> 8;
962 header[12] = (rec->length)&0xff; 959 header[12] = (rec->length)&0xff;
963 960
964 if (!send && 961 if (!send && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
965 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 962 ssl3_cbc_record_digest_supported(mac_ctx)) {
966 ssl3_cbc_record_digest_supported(mac_ctx)) {
967 /* This is a CBC-encrypted record. We must avoid leaking any 963 /* This is a CBC-encrypted record. We must avoid leaking any
968 * timing-side channel information about how many blocks of 964 * timing-side channel information about how many blocks of
969 * data we are hashing because that gives an attacker a 965 * data we are hashing because that gives an attacker a
970 * timing-oracle. */ 966 * timing-oracle. */
971 ssl3_cbc_digest_record( 967 ssl3_cbc_digest_record(mac_ctx,
972 mac_ctx, 968 md, &md_size, header, rec->input,
973 md, &md_size, 969 rec->length + md_size, orig_len,
974 header, rec->input, 970 ssl->s3->read_mac_secret,
975 rec->length + md_size, orig_len, 971 ssl->s3->read_mac_secret_size,
976 ssl->s3->read_mac_secret, 972 0 /* not SSLv3 */);
977 ssl->s3->read_mac_secret_size,
978 0 /* not SSLv3 */);
979 } else { 973 } else {
980 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); 974 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
981 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); 975 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
@@ -1001,7 +995,6 @@ tls1_mac(SSL *ssl, unsigned char *md, int send)
1001 ++seq[i]; 995 ++seq[i];
1002 if (seq[i] != 0) 996 if (seq[i] != 0)
1003 break; 997 break;
1004
1005 } 998 }
1006 } 999 }
1007 1000
@@ -1115,20 +1108,20 @@ tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1115 * comparisons won't have buffer overflow 1108 * comparisons won't have buffer overflow
1116 */ 1109 */
1117 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1110 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
1118 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; 1111 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
1112 goto err1;
1119 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1113 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
1120 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; 1114 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
1115 goto err1;
1121 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1116 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
1122 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; 1117 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
1118 goto err1;
1123 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1119 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
1124 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; 1120 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
1121 goto err1;
1125 1122
1126 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 1123 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
1127 val, vallen, 1124 val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0,
1128 NULL, 0,
1129 NULL, 0,
1130 NULL, 0,
1131 NULL, 0,
1132 s->session->master_key, s->session->master_key_length, 1125 s->session->master_key, s->session->master_key_length,
1133 out, buff, olen); 1126 out, buff, olen);
1134 1127
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 6ee2289153..f6cfb508f6 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -152,8 +152,9 @@ tls1_default_timeout(void)
152int 152int
153tls1_new(SSL *s) 153tls1_new(SSL *s)
154{ 154{
155 if (!ssl3_new(s)) return (0); 155 if (!ssl3_new(s))
156 s->method->ssl_clear(s); 156 return (0);
157 s->method->ssl_clear(s);
157 return (1); 158 return (1);
158} 159}
159 160
@@ -349,13 +350,14 @@ unsigned char
349 unsigned char *ret = p; 350 unsigned char *ret = p;
350 351
351 /* don't add extensions for SSLv3 unless doing secure renegotiation */ 352 /* don't add extensions for SSLv3 unless doing secure renegotiation */
352 if (s->client_version == SSL3_VERSION 353 if (s->client_version == SSL3_VERSION &&
353 && !s->s3->send_connection_binding) 354 !s->s3->send_connection_binding)
354 return p; 355 return p;
355 356
356 ret += 2; 357 ret += 2;
357 358
358 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 359 if (ret>=limit)
360 return NULL; /* this really never occurs, but ... */
359 361
360 if (s->tlsext_hostname != NULL) { 362 if (s->tlsext_hostname != NULL) {
361 /* Add TLS extension servername to the Client Hello message */ 363 /* Add TLS extension servername to the Client Hello message */
@@ -371,9 +373,9 @@ unsigned char
371 + hostname length 373 + hostname length
372 */ 374 */
373 375
374 if ((lenmax = limit - ret - 9) < 0 376 if ((lenmax = limit - ret - 9) < 0 ||
375 || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 377 (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
376 return NULL; 378 return NULL;
377 379
378 /* extension type and length */ 380 /* extension type and length */
379 s2n(TLSEXT_TYPE_server_name, ret); 381 s2n(TLSEXT_TYPE_server_name, ret);
@@ -399,8 +401,8 @@ unsigned char
399 return NULL; 401 return NULL;
400 } 402 }
401 403
402 if ((limit - p - 4 - el) 404 if ((limit - p - 4 - el) < 0)
403 < 0) return NULL; 405 return NULL;
404 406
405 s2n(TLSEXT_TYPE_renegotiate, ret); 407 s2n(TLSEXT_TYPE_renegotiate, ret);
406 s2n(el, ret); 408 s2n(el, ret);
@@ -415,8 +417,8 @@ unsigned char
415 417
416#ifndef OPENSSL_NO_SRP 418#ifndef OPENSSL_NO_SRP
417 /* Add SRP username if there is one */ 419 /* Add SRP username if there is one */
418 if (s->srp_ctx.login != NULL) 420 if (s->srp_ctx.login != NULL) {
419 { /* Add TLS extension SRP username to the Client Hello message */ 421 /* Add TLS extension SRP username to the Client Hello message */
420 422
421 int login_len = strlen(s->srp_ctx.login); 423 int login_len = strlen(s->srp_ctx.login);
422 424
@@ -430,8 +432,8 @@ unsigned char
430 1 for the srp user identity 432 1 for the srp user identity
431 + srp user identity length 433 + srp user identity length
432 */ 434 */
433 if ((limit - ret - 5 - login_len) 435 if ((limit - ret - 5 - login_len) < 0)
434 < 0) return NULL; 436 return NULL;
435 437
436 438
437 /* fill in the extension */ 439 /* fill in the extension */
@@ -445,16 +447,16 @@ unsigned char
445 447
446#ifndef OPENSSL_NO_EC 448#ifndef OPENSSL_NO_EC
447 if (s->tlsext_ecpointformatlist != NULL && 449 if (s->tlsext_ecpointformatlist != NULL &&
448 s->version != DTLS1_VERSION) { 450 s->version != DTLS1_VERSION) {
449 /* Add TLS extension ECPointFormats to the ClientHello message */ 451 /* Add TLS extension ECPointFormats to the ClientHello message */
450 long lenmax; 452 long lenmax;
451 453
454 if ((lenmax = limit - ret - 5) < 0)
455 return NULL;
452 456
453 if ((lenmax = limit - ret - 5) 457 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
454 < 0) return NULL; 458 return NULL;
455 459 if (s->tlsext_ecpointformatlist_length > 255) {
456 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL;
457 if (s->tlsext_ecpointformatlist_length > 255) {
458 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 460 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
459 return NULL; 461 return NULL;
460 } 462 }
@@ -466,11 +468,10 @@ unsigned char
466 ret += s->tlsext_ecpointformatlist_length; 468 ret += s->tlsext_ecpointformatlist_length;
467 } 469 }
468 if (s->tlsext_ellipticcurvelist != NULL && 470 if (s->tlsext_ellipticcurvelist != NULL &&
469 s->version != DTLS1_VERSION) { 471 s->version != DTLS1_VERSION) {
470 /* Add TLS extension EllipticCurves to the ClientHello message */ 472 /* Add TLS extension EllipticCurves to the ClientHello message */
471 long lenmax; 473 long lenmax;
472 474
473
474 if ((lenmax = limit - ret - 6) 475 if ((lenmax = limit - ret - 6)
475 < 0) return NULL; 476 < 0) return NULL;
476 477
@@ -499,7 +500,7 @@ unsigned char
499 if (!s->new_session && s->session && s->session->tlsext_tick) 500 if (!s->new_session && s->session && s->session->tlsext_tick)
500 ticklen = s->session->tlsext_ticklen; 501 ticklen = s->session->tlsext_ticklen;
501 else if (s->session && s->tlsext_session_ticket && 502 else if (s->session && s->tlsext_session_ticket &&
502 s->tlsext_session_ticket->data) { 503 s->tlsext_session_ticket->data) {
503 ticklen = s->tlsext_session_ticket->length; 504 ticklen = s->tlsext_session_ticket->length;
504 s->session->tlsext_tick = malloc(ticklen); 505 s->session->tlsext_tick = malloc(ticklen);
505 if (!s->session->tlsext_tick) 506 if (!s->session->tlsext_tick)
@@ -511,13 +512,14 @@ unsigned char
511 } else 512 } else
512 ticklen = 0; 513 ticklen = 0;
513 if (ticklen == 0 && s->tlsext_session_ticket && 514 if (ticklen == 0 && s->tlsext_session_ticket &&
514 s->tlsext_session_ticket->data == NULL) 515 s->tlsext_session_ticket->data == NULL)
515 goto skip_ext; 516 goto skip_ext;
516 /* Check for enough room 2 for extension type, 2 for len 517 /* Check for enough room 2 for extension type, 2 for len
517 * rest for ticket 518 * rest for ticket
518 */ 519 */
519 if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; 520 if ((long)(limit - ret - 4 - ticklen) < 0)
520 s2n(TLSEXT_TYPE_session_ticket, ret); 521 return NULL;
522 s2n(TLSEXT_TYPE_session_ticket, ret);
521 523
522 s2n(ticklen, ret); 524 s2n(ticklen, ret);
523 if (ticklen) { 525 if (ticklen) {
@@ -525,7 +527,7 @@ unsigned char
525 ret += ticklen; 527 ret += ticklen;
526 } 528 }
527 } 529 }
528 skip_ext: 530skip_ext:
529 531
530 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { 532 if (TLS1_get_client_version(s) >= TLS1_2_VERSION) {
531 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) 533 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
@@ -558,7 +560,7 @@ unsigned char
558#endif 560#endif
559 561
560 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && 562 if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
561 s->version != DTLS1_VERSION) { 563 s->version != DTLS1_VERSION) {
562 int i; 564 int i;
563 long extlen, idlen, itmp; 565 long extlen, idlen, itmp;
564 OCSP_RESPID *id; 566 OCSP_RESPID *id;
@@ -579,8 +581,9 @@ unsigned char
579 } else 581 } else
580 extlen = 0; 582 extlen = 0;
581 583
582 if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; 584 if ((long)(limit - ret - 7 - extlen - idlen) < 0)
583 s2n(TLSEXT_TYPE_status_request, ret); 585 return NULL;
586 s2n(TLSEXT_TYPE_status_request, ret);
584 if (extlen + idlen > 0xFFF0) 587 if (extlen + idlen > 0xFFF0)
585 return NULL; 588 return NULL;
586 s2n(extlen + idlen + 5, ret); 589 s2n(extlen + idlen + 5, ret);
@@ -618,8 +621,8 @@ unsigned char
618 621
619 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); 622 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
620 623
621 if ((limit - p - 4 - el) 624 if ((limit - p - 4 - el) < 0)
622 < 0) return NULL; 625 return NULL;
623 626
624 s2n(TLSEXT_TYPE_use_srtp, ret); 627 s2n(TLSEXT_TYPE_use_srtp, ret);
625 s2n(el, ret); 628 s2n(el, ret);
@@ -682,11 +685,12 @@ unsigned char
682 return p; 685 return p;
683 686
684 ret += 2; 687 ret += 2;
685 if (ret>=limit) return NULL; /* this really never occurs, but ... */ 688 if (ret>=limit)
689 return NULL; /* this really never occurs, but ... */
686 690
687 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { 691 if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) {
688 if ((long)(limit - ret - 4) < 0) return NULL; 692 if ((long)(limit - ret - 4) < 0)
689 693 return NULL;
690 694
691 s2n(TLSEXT_TYPE_server_name, ret); 695 s2n(TLSEXT_TYPE_server_name, ret);
692 s2n(0, ret); 696 s2n(0, ret);
@@ -724,8 +728,9 @@ unsigned char
724 if ((lenmax = limit - ret - 5) 728 if ((lenmax = limit - ret - 5)
725 < 0) return NULL; 729 < 0) return NULL;
726 730
727 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; 731 if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax)
728 if (s->tlsext_ecpointformatlist_length > 255) { 732 return NULL;
733 if (s->tlsext_ecpointformatlist_length > 255) {
729 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); 734 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
730 return NULL; 735 return NULL;
731 } 736 }
@@ -740,24 +745,24 @@ unsigned char
740 /* Currently the server should not respond with a SupportedCurves extension */ 745 /* Currently the server should not respond with a SupportedCurves extension */
741#endif /* OPENSSL_NO_EC */ 746#endif /* OPENSSL_NO_EC */
742 747
743 if (s->tlsext_ticket_expected 748 if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
744 && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { 749 if ((long)(limit - ret - 4) < 0)
745 if ((long)(limit - ret - 4) < 0) return NULL; 750 return NULL;
746 751
747 s2n(TLSEXT_TYPE_session_ticket, ret); 752 s2n(TLSEXT_TYPE_session_ticket, ret);
748 s2n(0, ret); 753 s2n(0, ret);
749 } 754 }
750 755
751 if (s->tlsext_status_expected) { 756 if (s->tlsext_status_expected) {
752 if ((long)(limit - ret - 4) < 0) return NULL; 757 if ((long)(limit - ret - 4) < 0)
758 return NULL;
753 759
754 s2n(TLSEXT_TYPE_status_request, ret); 760 s2n(TLSEXT_TYPE_status_request, ret);
755 s2n(0, ret); 761 s2n(0, ret);
756 } 762 }
757 763
758#ifdef TLSEXT_TYPE_opaque_prf_input 764#ifdef TLSEXT_TYPE_opaque_prf_input
759 if (s->s3->server_opaque_prf_input != NULL && 765 if (s->s3->server_opaque_prf_input != NULL && s->version != DTLS1_VERSION) {
760 s->version != DTLS1_VERSION) {
761 size_t sol = s->s3->server_opaque_prf_input_len; 766 size_t sol = s->s3->server_opaque_prf_input_len;
762 767
763 if ((long)(limit - ret - 6 - sol) < 0) 768 if ((long)(limit - ret - 6 - sol) < 0)
@@ -794,8 +799,9 @@ unsigned char
794 } 799 }
795#endif 800#endif
796 801
797 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) 802 if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 ||
798 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { 803 (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) &&
804 (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) {
799 const unsigned char cryptopro_ext[36] = { 805 const unsigned char cryptopro_ext[36] = {
800 0xfd, 0xe8, /*65000*/ 806 0xfd, 0xe8, /*65000*/
801 0x00, 0x20, /*32 bytes length*/ 807 0x00, 0x20, /*32 bytes length*/
@@ -820,8 +826,9 @@ unsigned char
820 826
821 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); 827 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
822 if (r == SSL_TLSEXT_ERR_OK) { 828 if (r == SSL_TLSEXT_ERR_OK) {
823 if ((long)(limit - ret - 4 - npalen) < 0) return NULL; 829 if ((long)(limit - ret - 4 - npalen) < 0)
824 s2n(TLSEXT_TYPE_next_proto_neg, ret); 830 return NULL;
831 s2n(TLSEXT_TYPE_next_proto_neg, ret);
825 s2n(npalen, ret); 832 s2n(npalen, ret);
826 memcpy(ret, npa, npalen); 833 memcpy(ret, npa, npalen);
827 ret += npalen; 834 ret += npalen;
@@ -987,7 +994,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
987 int servname_type; 994 int servname_type;
988 int dsize; 995 int dsize;
989 996
990
991 if (size < 2) { 997 if (size < 2) {
992 *al = SSL_AD_DECODE_ERROR; 998 *al = SSL_AD_DECODE_ERROR;
993 return 0; 999 return 0;
@@ -1013,7 +1019,7 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1013 } 1019 }
1014 if (s->servername_done == 0) 1020 if (s->servername_done == 0)
1015 switch (servname_type) { 1021 switch (servname_type) {
1016 case TLSEXT_NAMETYPE_host_name: 1022 case TLSEXT_NAMETYPE_host_name:
1017 if (!s->hit) { 1023 if (!s->hit) {
1018 if (s->session->tlsext_hostname) { 1024 if (s->session->tlsext_hostname) {
1019 *al = SSL_AD_DECODE_ERROR; 1025 *al = SSL_AD_DECODE_ERROR;
@@ -1038,14 +1044,14 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1038 s->servername_done = 1; 1044 s->servername_done = 1;
1039 1045
1040 1046
1041 } else 1047 } else {
1042 s->servername_done = s->session->tlsext_hostname 1048 s->servername_done = s->session->tlsext_hostname &&
1043 && strlen(s->session->tlsext_hostname) == len 1049 strlen(s->session->tlsext_hostname) == len &&
1044 && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; 1050 strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
1045 1051 }
1046 break; 1052 break;
1047 1053
1048 default: 1054 default:
1049 break; 1055 break;
1050 } 1056 }
1051 1057
@@ -1285,12 +1291,12 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1285 return 0; 1291 return 0;
1286 } 1292 }
1287 } 1293 }
1288 } 1294 } else {
1289 /* We don't know what to do with any other type 1295 /* We don't know what to do with any other type
1290 * so ignore it. 1296 * so ignore it.
1291 */ 1297 */
1292 else
1293 s->tlsext_status_type = -1; 1298 s->tlsext_status_type = -1;
1299 }
1294 } 1300 }
1295#ifndef OPENSSL_NO_NEXTPROTONEG 1301#ifndef OPENSSL_NO_NEXTPROTONEG
1296 else if (type == TLSEXT_TYPE_next_proto_neg && 1302 else if (type == TLSEXT_TYPE_next_proto_neg &&
@@ -1317,9 +1323,8 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
1317 /* session ticket processed earlier */ 1323 /* session ticket processed earlier */
1318#ifndef OPENSSL_NO_SRTP 1324#ifndef OPENSSL_NO_SRTP
1319 else if (type == TLSEXT_TYPE_use_srtp) { 1325 else if (type == TLSEXT_TYPE_use_srtp) {
1320 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, 1326 if (ssl_parse_clienthello_use_srtp_ext(s, data, size, al))
1321 al)) 1327 return 0;
1322 return 0;
1323 } 1328 }
1324#endif 1329#endif
1325 1330
@@ -1404,7 +1409,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1404 tlsext_servername = 1; 1409 tlsext_servername = 1;
1405 1410
1406 } 1411 }
1407
1408#ifndef OPENSSL_NO_EC 1412#ifndef OPENSSL_NO_EC
1409 else if (type == TLSEXT_TYPE_ec_point_formats && 1413 else if (type == TLSEXT_TYPE_ec_point_formats &&
1410 s->version != DTLS1_VERSION) { 1414 s->version != DTLS1_VERSION) {
@@ -1434,15 +1438,13 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1434#endif 1438#endif
1435 } 1439 }
1436#endif /* OPENSSL_NO_EC */ 1440#endif /* OPENSSL_NO_EC */
1437
1438 else if (type == TLSEXT_TYPE_session_ticket) { 1441 else if (type == TLSEXT_TYPE_session_ticket) {
1439 if (s->tls_session_ticket_ext_cb && 1442 if (s->tls_session_ticket_ext_cb &&
1440 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { 1443 !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) {
1441 *al = TLS1_AD_INTERNAL_ERROR; 1444 *al = TLS1_AD_INTERNAL_ERROR;
1442 return 0; 1445 return 0;
1443 } 1446 }
1444 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) 1447 if ((SSL_get_options(s) & SSL_OP_NO_TICKET) || (size > 0)) {
1445 || (size > 0)) {
1446 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1448 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1447 return 0; 1449 return 0;
1448 } 1450 }
@@ -1450,7 +1452,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1450 } 1452 }
1451#ifdef TLSEXT_TYPE_opaque_prf_input 1453#ifdef TLSEXT_TYPE_opaque_prf_input
1452 else if (type == TLSEXT_TYPE_opaque_prf_input && 1454 else if (type == TLSEXT_TYPE_opaque_prf_input &&
1453 s->version != DTLS1_VERSION) { 1455 s->version != DTLS1_VERSION) {
1454 unsigned char *sdata = data; 1456 unsigned char *sdata = data;
1455 1457
1456 if (size < 2) { 1458 if (size < 2) {
@@ -1477,7 +1479,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1477 } 1479 }
1478#endif 1480#endif
1479 else if (type == TLSEXT_TYPE_status_request && 1481 else if (type == TLSEXT_TYPE_status_request &&
1480 s->version != DTLS1_VERSION) { 1482 s->version != DTLS1_VERSION) {
1481 /* MUST be empty and only sent if we've requested 1483 /* MUST be empty and only sent if we've requested
1482 * a status request message. 1484 * a status request message.
1483 */ 1485 */
@@ -1490,7 +1492,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1490 } 1492 }
1491#ifndef OPENSSL_NO_NEXTPROTONEG 1493#ifndef OPENSSL_NO_NEXTPROTONEG
1492 else if (type == TLSEXT_TYPE_next_proto_neg && 1494 else if (type == TLSEXT_TYPE_next_proto_neg &&
1493 s->s3->tmp.finish_md_len == 0) { 1495 s->s3->tmp.finish_md_len == 0) {
1494 unsigned char *selected; 1496 unsigned char *selected;
1495 unsigned char selected_len; 1497 unsigned char selected_len;
1496 1498
@@ -1558,7 +1560,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1558 1560
1559 *p = data; 1561 *p = data;
1560 1562
1561 ri_check: 1563ri_check:
1562 1564
1563 /* Determine if we need to see RI. Strictly speaking if we want to 1565 /* Determine if we need to see RI. Strictly speaking if we want to
1564 * avoid an attack we should *always* see RI even on initial server 1566 * avoid an attack we should *always* see RI even on initial server
@@ -1567,8 +1569,7 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1567 * which doesn't support RI so for the immediate future tolerate RI 1569 * which doesn't support RI so for the immediate future tolerate RI
1568 * absence on initial connect only. 1570 * absence on initial connect only.
1569 */ 1571 */
1570 if (!renegotiate_seen 1572 if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1571 && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1572 *al = SSL_AD_HANDSHAKE_FAILURE; 1573 *al = SSL_AD_HANDSHAKE_FAILURE;
1573 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, 1574 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,
1574 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1575 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
@@ -1578,7 +1579,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n,
1578 return 1; 1579 return 1;
1579} 1580}
1580 1581
1581
1582int 1582int
1583ssl_prepare_clienthello_tlsext(SSL *s) 1583ssl_prepare_clienthello_tlsext(SSL *s)
1584{ 1584{
@@ -1597,7 +1597,8 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1597 1597
1598 alg_k = c->algorithm_mkey; 1598 alg_k = c->algorithm_mkey;
1599 alg_a = c->algorithm_auth; 1599 alg_a = c->algorithm_auth;
1600 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { 1600 if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) ||
1601 (alg_a & SSL_aECDSA))) {
1601 using_ecc = 1; 1602 using_ecc = 1;
1602 break; 1603 break;
1603 } 1604 }
@@ -1625,9 +1626,8 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1625 return -1; 1626 return -1;
1626 } 1627 }
1627 for (i = 0, j = s->tlsext_ellipticcurvelist; 1628 for (i = 0, j = s->tlsext_ellipticcurvelist;
1628 (unsigned int)i < 1629 (unsigned int)i < sizeof(pref_list)/sizeof(pref_list[0]);
1629 sizeof(pref_list)/sizeof(pref_list[0]); 1630 i++) {
1630 i++) {
1631 int id = tls1_ec_nid2curve_id(pref_list[i]); 1631 int id = tls1_ec_nid2curve_id(pref_list[i]);
1632 s2n(id, j); 1632 s2n(id, j);
1633 } 1633 }
@@ -1659,9 +1659,11 @@ ssl_prepare_clienthello_tlsext(SSL *s)
1659 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1659 s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len;
1660 } 1660 }
1661 1661
1662 if (r == 2) 1662 if (r == 2) {
1663 /* at callback's request, insist on receiving an appropriate server opaque PRF input */ 1663 /* at callback's request, insist on receiving an appropriate server opaque PRF input */
1664 s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; 1664 s->s3->server_opaque_prf_input_len =
1665 s->tlsext_opaque_prf_input_len;
1666 }
1665 } 1667 }
1666#endif 1668#endif
1667 1669
@@ -1743,7 +1745,7 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1743 1745
1744 if (s->tlsext_opaque_prf_input != NULL) { 1746 if (s->tlsext_opaque_prf_input != NULL) {
1745 if (s->s3->client_opaque_prf_input != NULL && 1747 if (s->s3->client_opaque_prf_input != NULL &&
1746 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { 1748 s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) {
1747 /* can only use this extension if we have a server opaque PRF input 1749 /* can only use this extension if we have a server opaque PRF input
1748 * of the same length as the client opaque PRF input! */ 1750 * of the same length as the client opaque PRF input! */
1749 1751
@@ -1770,7 +1772,7 @@ ssl_check_clienthello_tlsext_early(SSL *s)
1770 } 1772 }
1771 } 1773 }
1772 1774
1773 err: 1775err:
1774#endif 1776#endif
1775 switch (ret) { 1777 switch (ret) {
1776 case SSL_TLSEXT_ERR_ALERT_FATAL: 1778 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1842,12 +1844,10 @@ err:
1842 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1844 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1843 1845
1844 return -1; 1846 return -1;
1845
1846 case SSL_TLSEXT_ERR_ALERT_WARNING: 1847 case SSL_TLSEXT_ERR_ALERT_WARNING:
1847 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1848 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1848 return 1; 1849 return 1;
1849 1850
1850
1851 default: 1851 default:
1852 return 1; 1852 return 1;
1853 } 1853 }
@@ -1866,9 +1866,11 @@ ssl_check_serverhello_tlsext(SSL *s)
1866 */ 1866 */
1867 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 1867 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1868 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; 1868 unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
1869 if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 1869 if ((s->tlsext_ecpointformatlist != NULL) &&
1870 (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && 1870 (s->tlsext_ecpointformatlist_length > 0) &&
1871 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { 1871 (s->session->tlsext_ecpointformatlist != NULL) &&
1872 (s->session->tlsext_ecpointformatlist_length > 0) &&
1873 ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) {
1872 /* we are using an ECC cipher */ 1874 /* we are using an ECC cipher */
1873 size_t i; 1875 size_t i;
1874 unsigned char *list; 1876 unsigned char *list;
@@ -1943,12 +1945,10 @@ ssl_check_serverhello_tlsext(SSL *s)
1943 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1945 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1944 1946
1945 return -1; 1947 return -1;
1946
1947 case SSL_TLSEXT_ERR_ALERT_WARNING: 1948 case SSL_TLSEXT_ERR_ALERT_WARNING:
1948 ssl3_send_alert(s, SSL3_AL_WARNING, al); 1949 ssl3_send_alert(s, SSL3_AL_WARNING, al);
1949 return 1;
1950
1951 1950
1951 return 1;
1952 case SSL_TLSEXT_ERR_NOACK: 1952 case SSL_TLSEXT_ERR_NOACK:
1953 s->servername_done = 0; 1953 s->servername_done = 0;
1954 default: 1954 default:
@@ -2279,6 +2279,7 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2279 int i, idx; 2279 int i, idx;
2280 const EVP_MD *md; 2280 const EVP_MD *md;
2281 CERT *c = s->cert; 2281 CERT *c = s->cert;
2282
2282 /* Extension ignored for TLS versions below 1.2 */ 2283 /* Extension ignored for TLS versions below 1.2 */
2283 if (TLS1_get_version(s) < TLS1_2_VERSION) 2284 if (TLS1_get_version(s) < TLS1_2_VERSION)
2284 return 1; 2285 return 1;
@@ -2321,7 +2322,6 @@ tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2321 2322
2322 } 2323 }
2323 2324
2324
2325 /* Set any remaining keys to default values. NOTE: if alg is not 2325 /* Set any remaining keys to default values. NOTE: if alg is not
2326 * supported it stays as NULL. 2326 * supported it stays as NULL.
2327 */ 2327 */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 18:15:38 +0000