diff options
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 22 | ||||
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 24 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 22 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_lib.c | 24 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_lib.c | 19 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl_locl.h | 5 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 19 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 5 |
8 files changed, 60 insertions, 80 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 848de8c268..9ccc67acb9 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s) | |||
| 775 | { | 775 | { |
| 776 | STACK_OF(SSL_CIPHER) *sk; | 776 | STACK_OF(SSL_CIPHER) *sk; |
| 777 | const SSL_CIPHER *c; | 777 | const SSL_CIPHER *c; |
| 778 | unsigned char *p, *d; | 778 | unsigned char *p, *q, *d; |
| 779 | int i, al, ok; | 779 | int i, al, ok; |
| 780 | unsigned int j; | 780 | unsigned int j, cipher_id; |
| 781 | uint16_t cipher_value; | ||
| 781 | long n; | 782 | long n; |
| 782 | 783 | ||
| 783 | n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, | 784 | n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, |
| @@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 830 | p += SSL3_RANDOM_SIZE; | 831 | p += SSL3_RANDOM_SIZE; |
| 831 | 832 | ||
| 832 | /* get the session-id */ | 833 | /* get the session-id */ |
| 833 | j= *(p++); | 834 | j = *(p++); |
| 834 | 835 | ||
| 835 | if ((j > sizeof s->session->session_id) || | 836 | if ((j > sizeof s->session->session_id) || |
| 836 | (j > SSL3_SESSION_ID_SIZE)) { | 837 | (j > SSL3_SESSION_ID_SIZE)) { |
| @@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 843 | if (p + j + 2 - d > n) | 844 | if (p + j + 2 - d > n) |
| 844 | goto truncated; | 845 | goto truncated; |
| 845 | 846 | ||
| 847 | /* Get the cipher value. */ | ||
| 848 | q = p + j; | ||
| 849 | n2s(q, cipher_value); | ||
| 850 | cipher_id = SSL3_CK_ID | cipher_value; | ||
| 851 | |||
| 846 | /* | 852 | /* |
| 847 | * Check if we want to resume the session based on external | 853 | * Check if we want to resume the session based on external |
| 848 | * pre-shared secret | 854 | * pre-shared secret |
| @@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 854 | &s->session->master_key_length, NULL, &pref_cipher, | 860 | &s->session->master_key_length, NULL, &pref_cipher, |
| 855 | s->tls_session_secret_cb_arg)) { | 861 | s->tls_session_secret_cb_arg)) { |
| 856 | s->session->cipher = pref_cipher ? | 862 | s->session->cipher = pref_cipher ? |
| 857 | pref_cipher : ssl3_get_cipher_by_char(p + j); | 863 | pref_cipher : ssl3_get_cipher_by_id(cipher_id); |
| 858 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | 864 | s->s3->flags |= SSL3_FLAGS_CCS_OK; |
| 859 | } | 865 | } |
| 860 | } | 866 | } |
| @@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 885 | } | 891 | } |
| 886 | } | 892 | } |
| 887 | s->session->session_id_length = j; | 893 | s->session->session_id_length = j; |
| 888 | memcpy(s->session->session_id,p,j); /* j could be 0 */ | 894 | memcpy(s->session->session_id, p, j); /* j could be 0 */ |
| 889 | } | 895 | } |
| 890 | p += j; | 896 | p += j; |
| 891 | c = ssl3_get_cipher_by_char(p); | 897 | |
| 898 | c = ssl3_get_cipher_by_id(cipher_id); | ||
| 892 | if (c == NULL) { | 899 | if (c == NULL) { |
| 893 | /* unknown cipher */ | 900 | /* unknown cipher */ |
| 894 | al = SSL_AD_ILLEGAL_PARAMETER; | 901 | al = SSL_AD_ILLEGAL_PARAMETER; |
| @@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 896 | SSL_R_UNKNOWN_CIPHER_RETURNED); | 903 | SSL_R_UNKNOWN_CIPHER_RETURNED); |
| 897 | goto f_err; | 904 | goto f_err; |
| 898 | } | 905 | } |
| 906 | |||
| 899 | /* TLS v1.2 only ciphersuites require v1.2 or later */ | 907 | /* TLS v1.2 only ciphersuites require v1.2 or later */ |
| 900 | if ((c->algorithm_ssl & SSL_TLSV1_2) && | 908 | if ((c->algorithm_ssl & SSL_TLSV1_2) && |
| 901 | (TLS1_get_version(s) < TLS1_2_VERSION)) { | 909 | (TLS1_get_version(s) < TLS1_2_VERSION)) { |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 1d84effeea..1578f0388d 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
| 2452 | return (1); | 2452 | return (1); |
| 2453 | } | 2453 | } |
| 2454 | 2454 | ||
| 2455 | /* This function needs to check if the ciphers required are actually | ||
| 2456 | * available */ | ||
| 2457 | const SSL_CIPHER * | ||
| 2458 | ssl3_get_cipher_by_char(const unsigned char *p) | ||
| 2459 | { | ||
| 2460 | SSL_CIPHER c; | ||
| 2461 | const SSL_CIPHER *cp; | ||
| 2462 | unsigned long id; | ||
| 2463 | |||
| 2464 | id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; | ||
| 2465 | c.id = id; | ||
| 2466 | cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); | ||
| 2467 | #ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES | ||
| 2468 | if (cp == NULL) | ||
| 2469 | fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); | ||
| 2470 | #endif | ||
| 2471 | if (cp == NULL || cp->valid == 0) | ||
| 2472 | return NULL; | ||
| 2473 | else | ||
| 2474 | return cp; | ||
| 2475 | } | ||
| 2476 | |||
| 2477 | int | 2455 | int |
| 2478 | ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) | 2456 | ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) |
| 2479 | { | 2457 | { |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 848de8c268..9ccc67acb9 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */ | 1 | /* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s) | |||
| 775 | { | 775 | { |
| 776 | STACK_OF(SSL_CIPHER) *sk; | 776 | STACK_OF(SSL_CIPHER) *sk; |
| 777 | const SSL_CIPHER *c; | 777 | const SSL_CIPHER *c; |
| 778 | unsigned char *p, *d; | 778 | unsigned char *p, *q, *d; |
| 779 | int i, al, ok; | 779 | int i, al, ok; |
| 780 | unsigned int j; | 780 | unsigned int j, cipher_id; |
| 781 | uint16_t cipher_value; | ||
| 781 | long n; | 782 | long n; |
| 782 | 783 | ||
| 783 | n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, | 784 | n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, |
| @@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 830 | p += SSL3_RANDOM_SIZE; | 831 | p += SSL3_RANDOM_SIZE; |
| 831 | 832 | ||
| 832 | /* get the session-id */ | 833 | /* get the session-id */ |
| 833 | j= *(p++); | 834 | j = *(p++); |
| 834 | 835 | ||
| 835 | if ((j > sizeof s->session->session_id) || | 836 | if ((j > sizeof s->session->session_id) || |
| 836 | (j > SSL3_SESSION_ID_SIZE)) { | 837 | (j > SSL3_SESSION_ID_SIZE)) { |
| @@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 843 | if (p + j + 2 - d > n) | 844 | if (p + j + 2 - d > n) |
| 844 | goto truncated; | 845 | goto truncated; |
| 845 | 846 | ||
| 847 | /* Get the cipher value. */ | ||
| 848 | q = p + j; | ||
| 849 | n2s(q, cipher_value); | ||
| 850 | cipher_id = SSL3_CK_ID | cipher_value; | ||
| 851 | |||
| 846 | /* | 852 | /* |
| 847 | * Check if we want to resume the session based on external | 853 | * Check if we want to resume the session based on external |
| 848 | * pre-shared secret | 854 | * pre-shared secret |
| @@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 854 | &s->session->master_key_length, NULL, &pref_cipher, | 860 | &s->session->master_key_length, NULL, &pref_cipher, |
| 855 | s->tls_session_secret_cb_arg)) { | 861 | s->tls_session_secret_cb_arg)) { |
| 856 | s->session->cipher = pref_cipher ? | 862 | s->session->cipher = pref_cipher ? |
| 857 | pref_cipher : ssl3_get_cipher_by_char(p + j); | 863 | pref_cipher : ssl3_get_cipher_by_id(cipher_id); |
| 858 | s->s3->flags |= SSL3_FLAGS_CCS_OK; | 864 | s->s3->flags |= SSL3_FLAGS_CCS_OK; |
| 859 | } | 865 | } |
| 860 | } | 866 | } |
| @@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 885 | } | 891 | } |
| 886 | } | 892 | } |
| 887 | s->session->session_id_length = j; | 893 | s->session->session_id_length = j; |
| 888 | memcpy(s->session->session_id,p,j); /* j could be 0 */ | 894 | memcpy(s->session->session_id, p, j); /* j could be 0 */ |
| 889 | } | 895 | } |
| 890 | p += j; | 896 | p += j; |
| 891 | c = ssl3_get_cipher_by_char(p); | 897 | |
| 898 | c = ssl3_get_cipher_by_id(cipher_id); | ||
| 892 | if (c == NULL) { | 899 | if (c == NULL) { |
| 893 | /* unknown cipher */ | 900 | /* unknown cipher */ |
| 894 | al = SSL_AD_ILLEGAL_PARAMETER; | 901 | al = SSL_AD_ILLEGAL_PARAMETER; |
| @@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 896 | SSL_R_UNKNOWN_CIPHER_RETURNED); | 903 | SSL_R_UNKNOWN_CIPHER_RETURNED); |
| 897 | goto f_err; | 904 | goto f_err; |
| 898 | } | 905 | } |
| 906 | |||
| 899 | /* TLS v1.2 only ciphersuites require v1.2 or later */ | 907 | /* TLS v1.2 only ciphersuites require v1.2 or later */ |
| 900 | if ((c->algorithm_ssl & SSL_TLSV1_2) && | 908 | if ((c->algorithm_ssl & SSL_TLSV1_2) && |
| 901 | (TLS1_get_version(s) < TLS1_2_VERSION)) { | 909 | (TLS1_get_version(s) < TLS1_2_VERSION)) { |
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 1d84effeea..1578f0388d 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) | |||
| 2452 | return (1); | 2452 | return (1); |
| 2453 | } | 2453 | } |
| 2454 | 2454 | ||
| 2455 | /* This function needs to check if the ciphers required are actually | ||
| 2456 | * available */ | ||
| 2457 | const SSL_CIPHER * | ||
| 2458 | ssl3_get_cipher_by_char(const unsigned char *p) | ||
| 2459 | { | ||
| 2460 | SSL_CIPHER c; | ||
| 2461 | const SSL_CIPHER *cp; | ||
| 2462 | unsigned long id; | ||
| 2463 | |||
| 2464 | id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; | ||
| 2465 | c.id = id; | ||
| 2466 | cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); | ||
| 2467 | #ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES | ||
| 2468 | if (cp == NULL) | ||
| 2469 | fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); | ||
| 2470 | #endif | ||
| 2471 | if (cp == NULL || cp->valid == 0) | ||
| 2472 | return NULL; | ||
| 2473 | else | ||
| 2474 | return cp; | ||
| 2475 | } | ||
| 2476 | |||
| 2477 | int | 2455 | int |
| 2478 | ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) | 2456 | ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) |
| 2479 | { | 2457 | { |
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 55ab469df5..e5dedf0ba4 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1408 | const SSL_CIPHER *c; | 1408 | const SSL_CIPHER *c; |
| 1409 | STACK_OF(SSL_CIPHER) *sk; | 1409 | STACK_OF(SSL_CIPHER) *sk; |
| 1410 | int i; | 1410 | int i; |
| 1411 | unsigned int cipher_id; | ||
| 1412 | uint16_t cipher_value; | ||
| 1411 | 1413 | ||
| 1412 | if (s->s3) | 1414 | if (s->s3) |
| 1413 | s->s3->send_connection_binding = 0; | 1415 | s->s3->send_connection_binding = 0; |
| @@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1427 | } | 1429 | } |
| 1428 | 1430 | ||
| 1429 | for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { | 1431 | for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { |
| 1432 | n2s(p, cipher_value); | ||
| 1433 | cipher_id = SSL3_CK_ID | cipher_value; | ||
| 1434 | |||
| 1430 | /* Check for SCSV */ | 1435 | /* Check for SCSV */ |
| 1431 | if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) && | 1436 | if (s->s3 && cipher_id == SSL3_CK_SCSV) { |
| 1432 | (p[1] == (SSL3_CK_SCSV & 0xff))) { | 1437 | /* SCSV is fatal if renegotiating. */ |
| 1433 | /* SCSV fatal if renegotiating */ | ||
| 1434 | if (s->renegotiate) { | 1438 | if (s->renegotiate) { |
| 1435 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, | 1439 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, |
| 1436 | SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); | 1440 | SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); |
| @@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1440 | goto err; | 1444 | goto err; |
| 1441 | } | 1445 | } |
| 1442 | s->s3->send_connection_binding = 1; | 1446 | s->s3->send_connection_binding = 1; |
| 1443 | p += SSL3_CIPHER_VALUE_SIZE; | ||
| 1444 | continue; | 1447 | continue; |
| 1445 | } | 1448 | } |
| 1446 | 1449 | ||
| 1447 | c = ssl3_get_cipher_by_char(p); | 1450 | c = ssl3_get_cipher_by_id(cipher_id); |
| 1448 | p += SSL3_CIPHER_VALUE_SIZE; | ||
| 1449 | if (c != NULL) { | 1451 | if (c != NULL) { |
| 1450 | if (!sk_SSL_CIPHER_push(sk, c)) { | 1452 | if (!sk_SSL_CIPHER_push(sk, c)) { |
| 1451 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, | 1453 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, |
| @@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1458 | if (skp != NULL) | 1460 | if (skp != NULL) |
| 1459 | *skp = sk; | 1461 | *skp = sk; |
| 1460 | return (sk); | 1462 | return (sk); |
| 1463 | |||
| 1461 | err: | 1464 | err: |
| 1462 | if ((skp == NULL) || (*skp == NULL)) | 1465 | if (skp == NULL || *skp == NULL) |
| 1463 | sk_SSL_CIPHER_free(sk); | 1466 | sk_SSL_CIPHER_free(sk); |
| 1464 | return (NULL); | 1467 | return (NULL); |
| 1465 | } | 1468 | } |
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 87b27a1d99..1c823c046a 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -325,6 +325,8 @@ | |||
| 325 | * make sure to update this constant too */ | 325 | * make sure to update this constant too */ |
| 326 | #define SSL_MAX_DIGEST 6 | 326 | #define SSL_MAX_DIGEST 6 |
| 327 | 327 | ||
| 328 | #define SSL3_CK_ID 0x03000000 | ||
| 329 | |||
| 328 | #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) | 330 | #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) |
| 329 | 331 | ||
| 330 | #define TLS1_PRF_DGST_SHIFT 10 | 332 | #define TLS1_PRF_DGST_SHIFT 10 |
| @@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); | |||
| 594 | int ssl_verify_alarm_type(long type); | 596 | int ssl_verify_alarm_type(long type); |
| 595 | void ssl_load_ciphers(void); | 597 | void ssl_load_ciphers(void); |
| 596 | 598 | ||
| 597 | const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); | ||
| 598 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); | 599 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); |
| 599 | void ssl3_init_finished_mac(SSL *s); | 600 | void ssl3_init_finished_mac(SSL *s); |
| 600 | int ssl3_send_server_certificate(SSL *s); | 601 | int ssl3_send_server_certificate(SSL *s); |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 55ab469df5..e5dedf0ba4 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1408 | const SSL_CIPHER *c; | 1408 | const SSL_CIPHER *c; |
| 1409 | STACK_OF(SSL_CIPHER) *sk; | 1409 | STACK_OF(SSL_CIPHER) *sk; |
| 1410 | int i; | 1410 | int i; |
| 1411 | unsigned int cipher_id; | ||
| 1412 | uint16_t cipher_value; | ||
| 1411 | 1413 | ||
| 1412 | if (s->s3) | 1414 | if (s->s3) |
| 1413 | s->s3->send_connection_binding = 0; | 1415 | s->s3->send_connection_binding = 0; |
| @@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1427 | } | 1429 | } |
| 1428 | 1430 | ||
| 1429 | for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { | 1431 | for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) { |
| 1432 | n2s(p, cipher_value); | ||
| 1433 | cipher_id = SSL3_CK_ID | cipher_value; | ||
| 1434 | |||
| 1430 | /* Check for SCSV */ | 1435 | /* Check for SCSV */ |
| 1431 | if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) && | 1436 | if (s->s3 && cipher_id == SSL3_CK_SCSV) { |
| 1432 | (p[1] == (SSL3_CK_SCSV & 0xff))) { | 1437 | /* SCSV is fatal if renegotiating. */ |
| 1433 | /* SCSV fatal if renegotiating */ | ||
| 1434 | if (s->renegotiate) { | 1438 | if (s->renegotiate) { |
| 1435 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, | 1439 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, |
| 1436 | SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); | 1440 | SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); |
| @@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1440 | goto err; | 1444 | goto err; |
| 1441 | } | 1445 | } |
| 1442 | s->s3->send_connection_binding = 1; | 1446 | s->s3->send_connection_binding = 1; |
| 1443 | p += SSL3_CIPHER_VALUE_SIZE; | ||
| 1444 | continue; | 1447 | continue; |
| 1445 | } | 1448 | } |
| 1446 | 1449 | ||
| 1447 | c = ssl3_get_cipher_by_char(p); | 1450 | c = ssl3_get_cipher_by_id(cipher_id); |
| 1448 | p += SSL3_CIPHER_VALUE_SIZE; | ||
| 1449 | if (c != NULL) { | 1451 | if (c != NULL) { |
| 1450 | if (!sk_SSL_CIPHER_push(sk, c)) { | 1452 | if (!sk_SSL_CIPHER_push(sk, c)) { |
| 1451 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, | 1453 | SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, |
| @@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, | |||
| 1458 | if (skp != NULL) | 1460 | if (skp != NULL) |
| 1459 | *skp = sk; | 1461 | *skp = sk; |
| 1460 | return (sk); | 1462 | return (sk); |
| 1463 | |||
| 1461 | err: | 1464 | err: |
| 1462 | if ((skp == NULL) || (*skp == NULL)) | 1465 | if (skp == NULL || *skp == NULL) |
| 1463 | sk_SSL_CIPHER_free(sk); | 1466 | sk_SSL_CIPHER_free(sk); |
| 1464 | return (NULL); | 1467 | return (NULL); |
| 1465 | } | 1468 | } |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 87b27a1d99..1c823c046a 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -325,6 +325,8 @@ | |||
| 325 | * make sure to update this constant too */ | 325 | * make sure to update this constant too */ |
| 326 | #define SSL_MAX_DIGEST 6 | 326 | #define SSL_MAX_DIGEST 6 |
| 327 | 327 | ||
| 328 | #define SSL3_CK_ID 0x03000000 | ||
| 329 | |||
| 328 | #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) | 330 | #define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT) |
| 329 | 331 | ||
| 330 | #define TLS1_PRF_DGST_SHIFT 10 | 332 | #define TLS1_PRF_DGST_SHIFT 10 |
| @@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); | |||
| 594 | int ssl_verify_alarm_type(long type); | 596 | int ssl_verify_alarm_type(long type); |
| 595 | void ssl_load_ciphers(void); | 597 | void ssl_load_ciphers(void); |
| 596 | 598 | ||
| 597 | const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); | ||
| 598 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); | 599 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); |
| 599 | void ssl3_init_finished_mac(SSL *s); | 600 | void ssl3_init_finished_mac(SSL *s); |
| 600 | int ssl3_send_server_certificate(SSL *s); | 601 | int ssl3_send_server_certificate(SSL *s); |