1 files changed, 225 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8e89911f48..f82d071d6e 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
        0,      /* client_finished_label_len */
        NULL,   /* server_finished_label */
        0,      /* server_finished_label_len */
-        (int (*)(int))ssl_undefined_function
+        (int (*)(int))ssl_undefined_function,
+        (int (*)(SSL *, unsigned char *, size_t, const char *,
+                 size_t, const unsigned char *, size_t,
+                 int use_context)) ssl_undefined_function,
        };
 int SSL_clear(SSL *s)
@@ -202,9 +205,9 @@ int SSL_clear(SSL *s)
       * needed because SSL_clear is not called when doing renegotiation) */
        /* This is set if we are doing dynamic renegotiation so keep
         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-        if (s->new_session) return(1);
+        if (s->renegotiate) return(1);
 #else
-        if (s->new_session)
+        if (s->renegotiate)
                {
                SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
                return 0;
@@ -353,6 +356,9 @@ SSL *SSL_new(SSL_CTX *ctx)
        s->tlsext_ocsp_resplen = -1;
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->initial_ctx=ctx;
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        s->next_proto_negotiated = NULL;
+# endif
 #endif
        s->verify_result=X509_V_OK;
@@ -586,6 +592,14 @@ void SSL_free(SSL *s)
                kssl_ctx_free(s->kssl_ctx);
 #endif  /* OPENSSL_NO_KRB5 */
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+        if (s->next_proto_negotiated)
+                OPENSSL_free(s->next_proto_negotiated);
+#endif
+        if (s->srtp_profiles)
+            sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
        OPENSSL_free(s);
        }
@@ -1008,10 +1022,21 @@ int SSL_shutdown(SSL *s)
 int SSL_renegotiate(SSL *s)
        {
-        if (s->new_session == 0)
+        if (s->renegotiate == 0)
-                {
+                s->renegotiate=1;
-                s->new_session=1;
-                }
+        s->new_session=1;
+        return(s->method->ssl_renegotiate(s));
+        }
+int SSL_renegotiate_abbreviated(SSL *s)
+        {
+        if (s->renegotiate == 0)
+                s->renegotiate=1;
+        s->new_session=0;
        return(s->method->ssl_renegotiate(s));
        }
@@ -1019,7 +1044,7 @@ int SSL_renegotiate_pending(SSL *s)
        {
        /* becomes true when negotiation is requested;
         * false again once a handshake has finished */
-        return (s->new_session != 0);
+        return (s->renegotiate != 0);
        }
 long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -1054,8 +1079,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                s->max_cert_list=larg;
                return(l);
        case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
                if (larg < (long)dtls1_min_mtu())
                        return 0;
+#endif
                if (SSL_version(s) == DTLS1_VERSION ||
                    SSL_version(s) == DTLS1_BAD_VER)
@@ -1358,6 +1385,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
                c=sk_SSL_CIPHER_value(sk,i);
+                /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
+                if ((c->algorithm_ssl & SSL_TLSV1_2) && 
+                        (TLS1_get_client_version(s) < TLS1_2_VERSION))
+                        continue;
 #ifndef OPENSSL_NO_KRB5
                if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
                    nokrb5)
@@ -1375,7 +1406,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
        /* If p == q, no ciphers and caller indicates an error. Otherwise
         * add SCSV if not renegotiating.
         */
-        if (p != q && !s->new_session)
+        if (p != q && !s->renegotiate)
                {
                static SSL_CIPHER scsv =
                        {
@@ -1422,7 +1453,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                        (p[n-1] == (SSL3_CK_SCSV & 0xff)))
                        {
                        /* SCSV fatal if renegotiating */
-                        if (s->new_session)
+                        if (s->renegotiate)
                                {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
@@ -1479,8 +1510,137 @@ int SSL_get_servername_type(const SSL *s)
                return TLSEXT_NAMETYPE_host_name;
        return -1;
        }
+# ifndef OPENSSL_NO_NEXTPROTONEG
+/* SSL_select_next_proto implements the standard protocol selection. It is
+ * expected that this function is called from the callback set by
+ * SSL_CTX_set_next_proto_select_cb.
+ *
+ * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
+ * strings. The length byte itself is not included in the length. A byte
+ * string of length 0 is invalid. No byte string may be truncated.
+ *
+ * The current, but experimental algorithm for selecting the protocol is:
+ *
+ * 1) If the server doesn't support NPN then this is indicated to the
+ * callback. In this case, the client application has to abort the connection
+ * or have a default application level protocol.
+ *
+ * 2) If the server supports NPN, but advertises an empty list then the
+ * client selects the first protcol in its list, but indicates via the
+ * API that this fallback case was enacted.
+ *
+ * 3) Otherwise, the client finds the first protocol in the server's list
+ * that it supports and selects this protocol. This is because it's
+ * assumed that the server has better information about which protocol
+ * a client should use.
+ *
+ * 4) If the client doesn't support any of the server's advertised
+ * protocols, then this is treated the same as case 2.
+ *
+ * It returns either
+ * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
+ * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
+ */
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
+        {
+        unsigned int i, j;
+        const unsigned char *result;
+        int status = OPENSSL_NPN_UNSUPPORTED;
+        /* For each protocol in server preference order, see if we support it. */
+        for (i = 0; i < server_len; )
+                {
+                for (j = 0; j < client_len; )
+                        {
+                        if (server[i] == client[j] &&
+                            memcmp(&server[i+1], &client[j+1], server[i]) == 0)
+                                {
+                                /* We found a match */
+                                result = &server[i];
+                                status = OPENSSL_NPN_NEGOTIATED;
+                                goto found;
+                                }
+                        j += client[j];
+                        j++;
+                        }
+                i += server[i];
+                i++;
+                }
+        /* There's no overlap between our protocols and the server's list. */
+        result = client;
+        status = OPENSSL_NPN_NO_OVERLAP;
+        found:
+        *out = (unsigned char *) result + 1;
+        *outlen = result[0];
+        return status;
+        }
+/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
+ * requested protocol for this connection and returns 0. If the client didn't
+ * request any protocol, then *data is set to NULL.
+ *
+ * Note that the client can request any protocol it chooses. The value returned
+ * from this function need not be a member of the list of supported protocols
+ * provided by the callback.
+ */
+void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
+        {
+        *data = s->next_proto_negotiated;
+        if (!*data) {
+                *len = 0;
+        } else {
+                *len = s->next_proto_negotiated_len;
+        }
+}
+/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
+ * TLS server needs a list of supported protocols for Next Protocol
+ * Negotiation. The returned list must be in wire format.  The list is returned
+ * by setting |out| to point to it and |outlen| to its length. This memory will
+ * not be modified, but one should assume that the SSL* keeps a reference to
+ * it.
+ *
+ * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
+ * such extension will be included in the ServerHello. */
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
+        {
+        ctx->next_protos_advertised_cb = cb;
+        ctx->next_protos_advertised_cb_arg = arg;
+        }
+/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
+ * client needs to select a protocol from the server's provided list. |out|
+ * must be set to point to the selected protocol (which may be within |in|).
+ * The length of the protocol name must be written into |outlen|. The server's
+ * advertised protocols are provided in |in| and |inlen|. The callback can
+ * assume that |in| is syntactically valid.
+ *
+ * The client must select a protocol. It is fatal to the connection if this
+ * callback returns a value other than SSL_TLSEXT_ERR_OK.
+ */
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
+        {
+        ctx->next_proto_select_cb = cb;
+        ctx->next_proto_select_cb_arg = arg;
+        }
+# endif
 #endif
+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+        const char *label, size_t llen, const unsigned char *p, size_t plen,
+        int use_context)
+        {
+        if (s->version < TLS1_VERSION)
+                return -1;
+        return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
+                                                           llen, p, plen,
+                                                           use_context);
+        }
 static unsigned long ssl_session_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1524,6 +1684,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                return(NULL);
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1643,12 +1811,19 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->tlsext_status_cb = 0;
        ret->tlsext_status_arg = NULL;
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        ret->next_protos_advertised_cb = 0;
+        ret->next_proto_select_cb = 0;
+# endif
 #endif
 #ifndef OPENSSL_NO_PSK
        ret->psk_identity_hint=NULL;
        ret->psk_client_callback=NULL;
        ret->psk_server_callback=NULL;
 #endif
+#ifndef OPENSSL_NO_SRP
+        SSL_CTX_SRP_CTX_init(ret);
+#endif
 #ifndef OPENSSL_NO_BUF_FREELISTS
        ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
        ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1777,10 +1952,16 @@ void SSL_CTX_free(SSL_CTX *a)
        a->comp_methods = NULL;
 #endif
+        if (a->srtp_profiles)
+                sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
 #ifndef OPENSSL_NO_PSK
        if (a->psk_identity_hint)
                OPENSSL_free(a->psk_identity_hint);
 #endif
+#ifndef OPENSSL_NO_SRP
+        SSL_CTX_SRP_CTX_free(a);
+#endif
 #ifndef OPENSSL_NO_ENGINE
        if (a->client_cert_engine)
                ENGINE_finish(a->client_cert_engine);
@@ -2034,12 +2215,13 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #ifndef OPENSSL_NO_EC
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
        {
        unsigned long alg_k, alg_a;
        EVP_PKEY *pkey = NULL;
        int keysize = 0;
        int signature_nid = 0, md_nid = 0, pk_nid = 0;
+        const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
@@ -2069,7 +2251,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                        return 0;
                        }
-                if (alg_k & SSL_kECDHe)
+                if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be ECDSA */
                        if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2078,7 +2260,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                                return 0;
                                }
                        }
-                if (alg_k & SSL_kECDHr)
+                if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be RSA */
@@ -2168,34 +2350,36 @@ X509 *ssl_get_server_send_cert(SSL *s)
        return(c->pkeys[i].x509);
        }
-EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
        {
        unsigned long alg_a;
        CERT *c;
+        int idx = -1;
        alg_a = cipher->algorithm_auth;
        c=s->cert;
        if ((alg_a & SSL_aDSS) &&
                (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-                return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
+                idx = SSL_PKEY_DSA_SIGN;
        else if (alg_a & SSL_aRSA)
                {
                if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
+                        idx = SSL_PKEY_RSA_SIGN;
                else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+                        idx = SSL_PKEY_RSA_ENC;
-                else
-                        return(NULL);
                }
        else if ((alg_a & SSL_aECDSA) &&
                 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
-                return(c->pkeys[SSL_PKEY_ECC].privatekey);
+                idx = SSL_PKEY_ECC;
-        else /* if (alg_a & SSL_aNULL) */
+        if (idx == -1)
                {
                SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
                return(NULL);
                }
+        if (pmd)
+                *pmd = c->pkeys[idx].digest;
+        return c->pkeys[idx].privatekey;
        }
 void ssl_update_cache(SSL *s,int mode)
@@ -2420,6 +2604,10 @@ SSL_METHOD *ssl_bad_method(int ver)
 const char *SSL_get_version(const SSL *s)
        {
+        if (s->version == TLS1_2_VERSION)
+                return("TLSv1.2");
+        else if (s->version == TLS1_1_VERSION)
+                return("TLSv1.1");
        if (s->version == TLS1_VERSION)
                return("TLSv1");
        else if (s->version == SSL3_VERSION)
@@ -2514,6 +2702,7 @@ SSL *SSL_dup(SSL *s)
        ret->in_handshake = s->in_handshake;
        ret->handshake_func = s->handshake_func;
        ret->server = s->server;
+        ret->renegotiate = s->renegotiate;
        ret->new_session = s->new_session;
        ret->quiet_shutdown = s->quiet_shutdown;
        ret->shutdown=s->shutdown;
@@ -2779,6 +2968,11 @@ int SSL_state(const SSL *ssl)
        return(ssl->state);
        }
+void SSL_set_state(SSL *ssl, int state)
+        {
+        ssl->state = state;
+        }
 void SSL_set_verify_result(SSL *ssl,long arg)
        {
        ssl->verify_result=arg;
@@ -3037,6 +3231,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
        *hash=NULL;
 }
+void SSL_set_debug(SSL *s, int debug)
+        {
+        s->debug = debug;
+        }
+int SSL_cache_hit(SSL *s)
+        {
+        return s->hit;
+        }
 #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
 #include "../crypto/bio/bss_file.c"
 #endif
@@ -3045,4 +3249,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
 IMPLEMENT_STACK_OF(SSL_COMP)
 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
                                    ssl_cipher_id);

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 8e89911f48..f82d071d6e 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
176	0, /* client_finished_label_len */	176	0, /* client_finished_label_len */
177	NULL, /* server_finished_label */	177	NULL, /* server_finished_label */
178	0, /* server_finished_label_len */	178	0, /* server_finished_label_len */
179	(int (*)(int))ssl_undefined_function	179	(int (*)(int))ssl_undefined_function,
		180	(int ()(SSL , unsigned char , size_t, const char ,
		181	size_t, const unsigned char *, size_t,
		182	int use_context)) ssl_undefined_function,
180	};	183	};
181		184
182	int SSL_clear(SSL *s)	185	int SSL_clear(SSL *s)
@@ -202,9 +205,9 @@ int SSL_clear(SSL *s)
202	* needed because SSL_clear is not called when doing renegotiation) */	205	* needed because SSL_clear is not called when doing renegotiation) */
203	/* This is set if we are doing dynamic renegotiation so keep	206	/* This is set if we are doing dynamic renegotiation so keep
204	* the old cipher. It is sort of a SSL_clear_lite :-) */	207	* the old cipher. It is sort of a SSL_clear_lite :-) */
205	if (s->new_session) return(1);	208	if (s->renegotiate) return(1);
206	#else	209	#else
207	if (s->new_session)	210	if (s->renegotiate)
208	{	211	{
209	SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);	212	SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
210	return 0;	213	return 0;
@@ -353,6 +356,9 @@ SSL SSL_new(SSL_CTX ctx)
353	s->tlsext_ocsp_resplen = -1;	356	s->tlsext_ocsp_resplen = -1;
354	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);	357	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
355	s->initial_ctx=ctx;	358	s->initial_ctx=ctx;
		359	# ifndef OPENSSL_NO_NEXTPROTONEG
		360	s->next_proto_negotiated = NULL;
		361	# endif
356	#endif	362	#endif
357		363
358	s->verify_result=X509_V_OK;	364	s->verify_result=X509_V_OK;
@@ -586,6 +592,14 @@ void SSL_free(SSL *s)
586	kssl_ctx_free(s->kssl_ctx);	592	kssl_ctx_free(s->kssl_ctx);
587	#endif /* OPENSSL_NO_KRB5 */	593	#endif /* OPENSSL_NO_KRB5 */
588		594
		595	#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
		596	if (s->next_proto_negotiated)
		597	OPENSSL_free(s->next_proto_negotiated);
		598	#endif
		599
		600	if (s->srtp_profiles)
		601	sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
		602
589	OPENSSL_free(s);	603	OPENSSL_free(s);
590	}	604	}
591		605
@@ -1008,10 +1022,21 @@ int SSL_shutdown(SSL *s)
1008		1022
1009	int SSL_renegotiate(SSL *s)	1023	int SSL_renegotiate(SSL *s)
1010	{	1024	{
1011	if (s->new_session == 0)	1025	if (s->renegotiate == 0)
1012	{	1026	s->renegotiate=1;
1013	s->new_session=1;	1027
1014	}	1028	s->new_session=1;
		1029
		1030	return(s->method->ssl_renegotiate(s));
		1031	}
		1032
		1033	int SSL_renegotiate_abbreviated(SSL *s)
		1034	{
		1035	if (s->renegotiate == 0)
		1036	s->renegotiate=1;
		1037
		1038	s->new_session=0;
		1039
1015	return(s->method->ssl_renegotiate(s));	1040	return(s->method->ssl_renegotiate(s));
1016	}	1041	}
1017		1042
@@ -1019,7 +1044,7 @@ int SSL_renegotiate_pending(SSL *s)
1019	{	1044	{
1020	/* becomes true when negotiation is requested;	1045	/* becomes true when negotiation is requested;
1021	* false again once a handshake has finished */	1046	* false again once a handshake has finished */
1022	return (s->new_session != 0);	1047	return (s->renegotiate != 0);
1023	}	1048	}
1024		1049
1025	long SSL_ctrl(SSL s,int cmd,long larg,void parg)	1050	long SSL_ctrl(SSL s,int cmd,long larg,void parg)
@@ -1054,8 +1079,10 @@ long SSL_ctrl(SSL s,int cmd,long larg,void parg)
1054	s->max_cert_list=larg;	1079	s->max_cert_list=larg;
1055	return(l);	1080	return(l);
1056	case SSL_CTRL_SET_MTU:	1081	case SSL_CTRL_SET_MTU:
		1082	#ifndef OPENSSL_NO_DTLS1
1057	if (larg < (long)dtls1_min_mtu())	1083	if (larg < (long)dtls1_min_mtu())
1058	return 0;	1084	return 0;
		1085	#endif
1059		1086
1060	if (SSL_version(s) == DTLS1_VERSION \|\|	1087	if (SSL_version(s) == DTLS1_VERSION \|\|
1061	SSL_version(s) == DTLS1_BAD_VER)	1088	SSL_version(s) == DTLS1_BAD_VER)
@@ -1358,6 +1385,10 @@ int ssl_cipher_list_to_bytes(SSL s,STACK_OF(SSL_CIPHER) sk,unsigned char *p,
1358	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)	1385	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1359	{	1386	{
1360	c=sk_SSL_CIPHER_value(sk,i);	1387	c=sk_SSL_CIPHER_value(sk,i);
		1388	/* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
		1389	if ((c->algorithm_ssl & SSL_TLSV1_2) &&
		1390	(TLS1_get_client_version(s) < TLS1_2_VERSION))
		1391	continue;
1361	#ifndef OPENSSL_NO_KRB5	1392	#ifndef OPENSSL_NO_KRB5
1362	if (((c->algorithm_mkey & SSL_kKRB5) \|\| (c->algorithm_auth & SSL_aKRB5)) &&	1393	if (((c->algorithm_mkey & SSL_kKRB5) \|\| (c->algorithm_auth & SSL_aKRB5)) &&
1363	nokrb5)	1394	nokrb5)
@@ -1375,7 +1406,7 @@ int ssl_cipher_list_to_bytes(SSL s,STACK_OF(SSL_CIPHER) sk,unsigned char *p,
1375	/* If p == q, no ciphers and caller indicates an error. Otherwise	1406	/* If p == q, no ciphers and caller indicates an error. Otherwise
1376	* add SCSV if not renegotiating.	1407	* add SCSV if not renegotiating.
1377	*/	1408	*/
1378	if (p != q && !s->new_session)	1409	if (p != q && !s->renegotiate)
1379	{	1410	{
1380	static SSL_CIPHER scsv =	1411	static SSL_CIPHER scsv =
1381	{	1412	{
@@ -1422,7 +1453,7 @@ STACK_OF(SSL_CIPHER) ssl_bytes_to_cipher_list(SSL s,unsigned char *p,int num,
1422	(p[n-1] == (SSL3_CK_SCSV & 0xff)))	1453	(p[n-1] == (SSL3_CK_SCSV & 0xff)))
1423	{	1454	{
1424	/* SCSV fatal if renegotiating */	1455	/* SCSV fatal if renegotiating */
1425	if (s->new_session)	1456	if (s->renegotiate)
1426	{	1457	{
1427	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);	1458	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1428	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);	1459	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
@@ -1479,8 +1510,137 @@ int SSL_get_servername_type(const SSL *s)
1479	return TLSEXT_NAMETYPE_host_name;	1510	return TLSEXT_NAMETYPE_host_name;
1480	return -1;	1511	return -1;
1481	}	1512	}
		1513
		1514	# ifndef OPENSSL_NO_NEXTPROTONEG
		1515	/* SSL_select_next_proto implements the standard protocol selection. It is
		1516	* expected that this function is called from the callback set by
		1517	* SSL_CTX_set_next_proto_select_cb.
		1518	*
		1519	* The protocol data is assumed to be a vector of 8-bit, length prefixed byte
		1520	* strings. The length byte itself is not included in the length. A byte
		1521	* string of length 0 is invalid. No byte string may be truncated.
		1522	*
		1523	* The current, but experimental algorithm for selecting the protocol is:
		1524	*
		1525	* 1) If the server doesn't support NPN then this is indicated to the
		1526	* callback. In this case, the client application has to abort the connection
		1527	* or have a default application level protocol.
		1528	*
		1529	* 2) If the server supports NPN, but advertises an empty list then the
		1530	* client selects the first protcol in its list, but indicates via the
		1531	* API that this fallback case was enacted.
		1532	*
		1533	* 3) Otherwise, the client finds the first protocol in the server's list
		1534	* that it supports and selects this protocol. This is because it's
		1535	* assumed that the server has better information about which protocol
		1536	* a client should use.
		1537	*
		1538	* 4) If the client doesn't support any of the server's advertised
		1539	* protocols, then this is treated the same as case 2.
		1540	*
		1541	* It returns either
		1542	* OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
		1543	* OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
		1544	*/
		1545	int SSL_select_next_proto(unsigned char *out, unsigned char outlen, const unsigned char server, unsigned int server_len, const unsigned char client, unsigned int client_len)
		1546	{
		1547	unsigned int i, j;
		1548	const unsigned char *result;
		1549	int status = OPENSSL_NPN_UNSUPPORTED;
		1550
		1551	/* For each protocol in server preference order, see if we support it. */
		1552	for (i = 0; i < server_len; )
		1553	{
		1554	for (j = 0; j < client_len; )
		1555	{
		1556	if (server[i] == client[j] &&
		1557	memcmp(&server[i+1], &client[j+1], server[i]) == 0)
		1558	{
		1559	/* We found a match */
		1560	result = &server[i];
		1561	status = OPENSSL_NPN_NEGOTIATED;
		1562	goto found;
		1563	}
		1564	j += client[j];
		1565	j++;
		1566	}
		1567	i += server[i];
		1568	i++;
		1569	}
		1570
		1571	/* There's no overlap between our protocols and the server's list. */
		1572	result = client;
		1573	status = OPENSSL_NPN_NO_OVERLAP;
		1574
		1575	found:
		1576	out = (unsigned char ) result + 1;
		1577	*outlen = result[0];
		1578	return status;
		1579	}
		1580
		1581	/* SSL_get0_next_proto_negotiated sets data and len to point to the client's
		1582	* requested protocol for this connection and returns 0. If the client didn't
		1583	* request any protocol, then *data is set to NULL.
		1584	*
		1585	* Note that the client can request any protocol it chooses. The value returned
		1586	* from this function need not be a member of the list of supported protocols
		1587	* provided by the callback.
		1588	*/
		1589	void SSL_get0_next_proto_negotiated(const SSL s, const unsigned char data, unsigned len)
		1590	{
		1591	*data = s->next_proto_negotiated;
		1592	if (!*data) {
		1593	*len = 0;
		1594	} else {
		1595	*len = s->next_proto_negotiated_len;
		1596	}
		1597	}
		1598
		1599	/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
		1600	* TLS server needs a list of supported protocols for Next Protocol
		1601	* Negotiation. The returned list must be in wire format. The list is returned
		1602	* by setting \|out\| to point to it and \|outlen\| to its length. This memory will
		1603	* not be modified, but one should assume that the SSL* keeps a reference to
		1604	* it.
		1605	*
		1606	* The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
		1607	* such extension will be included in the ServerHello. */
		1608	void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX ctx, int (cb) (SSL ssl, const unsigned char out, unsigned int outlen, void arg), void arg)
		1609	{
		1610	ctx->next_protos_advertised_cb = cb;
		1611	ctx->next_protos_advertised_cb_arg = arg;
		1612	}
		1613
		1614	/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
		1615	* client needs to select a protocol from the server's provided list. \|out\|
		1616	* must be set to point to the selected protocol (which may be within \|in\|).
		1617	* The length of the protocol name must be written into \|outlen\|. The server's
		1618	* advertised protocols are provided in \|in\| and \|inlen\|. The callback can
		1619	* assume that \|in\| is syntactically valid.
		1620	*
		1621	* The client must select a protocol. It is fatal to the connection if this
		1622	* callback returns a value other than SSL_TLSEXT_ERR_OK.
		1623	*/
		1624	void SSL_CTX_set_next_proto_select_cb(SSL_CTX ctx, int (cb) (SSL s, unsigned char out, unsigned char outlen, const unsigned char in, unsigned int inlen, void arg), void *arg)
		1625	{
		1626	ctx->next_proto_select_cb = cb;
		1627	ctx->next_proto_select_cb_arg = arg;
		1628	}
		1629	# endif
1482	#endif	1630	#endif
1483		1631
		1632	int SSL_export_keying_material(SSL s, unsigned char out, size_t olen,
		1633	const char label, size_t llen, const unsigned char p, size_t plen,
		1634	int use_context)
		1635	{
		1636	if (s->version < TLS1_VERSION)
		1637	return -1;
		1638
		1639	return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
		1640	llen, p, plen,
		1641	use_context);
		1642	}
		1643
1484	static unsigned long ssl_session_hash(const SSL_SESSION *a)	1644	static unsigned long ssl_session_hash(const SSL_SESSION *a)
1485	{	1645	{
1486	unsigned long l;	1646	unsigned long l;
@@ -1524,6 +1684,14 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
1524	return(NULL);	1684	return(NULL);
1525	}	1685	}
1526		1686
		1687	#ifdef OPENSSL_FIPS
		1688	if (FIPS_mode() && (meth->version < TLS1_VERSION))
		1689	{
		1690	SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		1691	return NULL;
		1692	}
		1693	#endif
		1694
1527	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)	1695	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1528	{	1696	{
1529	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);	1697	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1643,12 +1811,19 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
1643	ret->tlsext_status_cb = 0;	1811	ret->tlsext_status_cb = 0;
1644	ret->tlsext_status_arg = NULL;	1812	ret->tlsext_status_arg = NULL;
1645		1813
		1814	# ifndef OPENSSL_NO_NEXTPROTONEG
		1815	ret->next_protos_advertised_cb = 0;
		1816	ret->next_proto_select_cb = 0;
		1817	# endif
1646	#endif	1818	#endif
1647	#ifndef OPENSSL_NO_PSK	1819	#ifndef OPENSSL_NO_PSK
1648	ret->psk_identity_hint=NULL;	1820	ret->psk_identity_hint=NULL;
1649	ret->psk_client_callback=NULL;	1821	ret->psk_client_callback=NULL;
1650	ret->psk_server_callback=NULL;	1822	ret->psk_server_callback=NULL;
1651	#endif	1823	#endif
		1824	#ifndef OPENSSL_NO_SRP
		1825	SSL_CTX_SRP_CTX_init(ret);
		1826	#endif
1652	#ifndef OPENSSL_NO_BUF_FREELISTS	1827	#ifndef OPENSSL_NO_BUF_FREELISTS
1653	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;	1828	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1654	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));	1829	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1777,10 +1952,16 @@ void SSL_CTX_free(SSL_CTX *a)
1777	a->comp_methods = NULL;	1952	a->comp_methods = NULL;
1778	#endif	1953	#endif
1779		1954
		1955	if (a->srtp_profiles)
		1956	sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
		1957
1780	#ifndef OPENSSL_NO_PSK	1958	#ifndef OPENSSL_NO_PSK
1781	if (a->psk_identity_hint)	1959	if (a->psk_identity_hint)
1782	OPENSSL_free(a->psk_identity_hint);	1960	OPENSSL_free(a->psk_identity_hint);
1783	#endif	1961	#endif
		1962	#ifndef OPENSSL_NO_SRP
		1963	SSL_CTX_SRP_CTX_free(a);
		1964	#endif
1784	#ifndef OPENSSL_NO_ENGINE	1965	#ifndef OPENSSL_NO_ENGINE
1785	if (a->client_cert_engine)	1966	if (a->client_cert_engine)
1786	ENGINE_finish(a->client_cert_engine);	1967	ENGINE_finish(a->client_cert_engine);
@@ -2034,12 +2215,13 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2034		2215
2035	#ifndef OPENSSL_NO_EC	2216	#ifndef OPENSSL_NO_EC
2036		2217
2037	int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)	2218	int ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)
2038	{	2219	{
2039	unsigned long alg_k, alg_a;	2220	unsigned long alg_k, alg_a;
2040	EVP_PKEY *pkey = NULL;	2221	EVP_PKEY *pkey = NULL;
2041	int keysize = 0;	2222	int keysize = 0;
2042	int signature_nid = 0, md_nid = 0, pk_nid = 0;	2223	int signature_nid = 0, md_nid = 0, pk_nid = 0;
		2224	const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2043		2225
2044	alg_k = cs->algorithm_mkey;	2226	alg_k = cs->algorithm_mkey;
2045	alg_a = cs->algorithm_auth;	2227	alg_a = cs->algorithm_auth;
@@ -2069,7 +2251,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2069	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);	2251	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2070	return 0;	2252	return 0;
2071	}	2253	}
2072	if (alg_k & SSL_kECDHe)	2254	if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
2073	{	2255	{
2074	/* signature alg must be ECDSA */	2256	/* signature alg must be ECDSA */
2075	if (pk_nid != NID_X9_62_id_ecPublicKey)	2257	if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2078,7 +2260,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2078	return 0;	2260	return 0;
2079	}	2261	}
2080	}	2262	}
2081	if (alg_k & SSL_kECDHr)	2263	if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
2082	{	2264	{
2083	/* signature alg must be RSA */	2265	/* signature alg must be RSA */
2084		2266
@@ -2168,34 +2350,36 @@ X509 ssl_get_server_send_cert(SSL s)
2168	return(c->pkeys[i].x509);	2350	return(c->pkeys[i].x509);
2169	}	2351	}
2170		2352
2171	EVP_PKEY ssl_get_sign_pkey(SSL s,const SSL_CIPHER *cipher)	2353	EVP_PKEY ssl_get_sign_pkey(SSL s,const SSL_CIPHER cipher, const EVP_MD *pmd)
2172	{	2354	{
2173	unsigned long alg_a;	2355	unsigned long alg_a;
2174	CERT *c;	2356	CERT *c;
		2357	int idx = -1;
2175		2358
2176	alg_a = cipher->algorithm_auth;	2359	alg_a = cipher->algorithm_auth;
2177	c=s->cert;	2360	c=s->cert;
2178		2361
2179	if ((alg_a & SSL_aDSS) &&	2362	if ((alg_a & SSL_aDSS) &&
2180	(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))	2363	(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2181	return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);	2364	idx = SSL_PKEY_DSA_SIGN;
2182	else if (alg_a & SSL_aRSA)	2365	else if (alg_a & SSL_aRSA)
2183	{	2366	{
2184	if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)	2367	if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2185	return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);	2368	idx = SSL_PKEY_RSA_SIGN;
2186	else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)	2369	else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2187	return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);	2370	idx = SSL_PKEY_RSA_ENC;
2188	else
2189	return(NULL);
2190	}	2371	}
2191	else if ((alg_a & SSL_aECDSA) &&	2372	else if ((alg_a & SSL_aECDSA) &&
2192	(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))	2373	(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2193	return(c->pkeys[SSL_PKEY_ECC].privatekey);	2374	idx = SSL_PKEY_ECC;
2194	else /* if (alg_a & SSL_aNULL) */	2375	if (idx == -1)
2195	{	2376	{
2196	SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);	2377	SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2197	return(NULL);	2378	return(NULL);
2198	}	2379	}
		2380	if (pmd)
		2381	*pmd = c->pkeys[idx].digest;
		2382	return c->pkeys[idx].privatekey;
2199	}	2383	}
2200		2384
2201	void ssl_update_cache(SSL *s,int mode)	2385	void ssl_update_cache(SSL *s,int mode)
@@ -2420,6 +2604,10 @@ SSL_METHOD *ssl_bad_method(int ver)
2420		2604
2421	const char SSL_get_version(const SSL s)	2605	const char SSL_get_version(const SSL s)
2422	{	2606	{
		2607	if (s->version == TLS1_2_VERSION)
		2608	return("TLSv1.2");
		2609	else if (s->version == TLS1_1_VERSION)
		2610	return("TLSv1.1");
2423	if (s->version == TLS1_VERSION)	2611	if (s->version == TLS1_VERSION)
2424	return("TLSv1");	2612	return("TLSv1");
2425	else if (s->version == SSL3_VERSION)	2613	else if (s->version == SSL3_VERSION)
@@ -2514,6 +2702,7 @@ SSL SSL_dup(SSL s)
2514	ret->in_handshake = s->in_handshake;	2702	ret->in_handshake = s->in_handshake;
2515	ret->handshake_func = s->handshake_func;	2703	ret->handshake_func = s->handshake_func;
2516	ret->server = s->server;	2704	ret->server = s->server;
		2705	ret->renegotiate = s->renegotiate;
2517	ret->new_session = s->new_session;	2706	ret->new_session = s->new_session;
2518	ret->quiet_shutdown = s->quiet_shutdown;	2707	ret->quiet_shutdown = s->quiet_shutdown;
2519	ret->shutdown=s->shutdown;	2708	ret->shutdown=s->shutdown;
@@ -2779,6 +2968,11 @@ int SSL_state(const SSL *ssl)
2779	return(ssl->state);	2968	return(ssl->state);
2780	}	2969	}
2781		2970
		2971	void SSL_set_state(SSL *ssl, int state)
		2972	{
		2973	ssl->state = state;
		2974	}
		2975
2782	void SSL_set_verify_result(SSL *ssl,long arg)	2976	void SSL_set_verify_result(SSL *ssl,long arg)
2783	{	2977	{
2784	ssl->verify_result=arg;	2978	ssl->verify_result=arg;
@@ -3037,6 +3231,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3037	*hash=NULL;	3231	*hash=NULL;
3038	}	3232	}
3039		3233
		3234	void SSL_set_debug(SSL *s, int debug)
		3235	{
		3236	s->debug = debug;
		3237	}
		3238
		3239	int SSL_cache_hit(SSL *s)
		3240	{
		3241	return s->hit;
		3242	}
		3243
3040	#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)	3244	#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3041	#include "../crypto/bio/bss_file.c"	3245	#include "../crypto/bio/bss_file.c"
3042	#endif	3246	#endif
@@ -3045,4 +3249,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
3045	IMPLEMENT_STACK_OF(SSL_COMP)	3249	IMPLEMENT_STACK_OF(SSL_COMP)
3046	IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,	3250	IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3047	ssl_cipher_id);	3251	ssl_cipher_id);
3048