1 files changed, 225 insertions, 22 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 7755476de3..c91f0018e4 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
        0,      /* client_finished_label_len */
        NULL,   /* server_finished_label */
        0,      /* server_finished_label_len */
-        (int (*)(int))ssl_undefined_function
+        (int (*)(int))ssl_undefined_function,
+        (int (*)(SSL *, unsigned char *, size_t, const char *,
+                 size_t, const unsigned char *, size_t,
+                 int use_context)) ssl_undefined_function,
        };
 int SSL_clear(SSL *s)
@@ -202,9 +205,9 @@ int SSL_clear(SSL *s)
       * needed because SSL_clear is not called when doing renegotiation) */
        /* This is set if we are doing dynamic renegotiation so keep
         * the old cipher.  It is sort of a SSL_clear_lite :-) */
-        if (s->new_session) return(1);
+        if (s->renegotiate) return(1);
 #else
-        if (s->new_session)
+        if (s->renegotiate)
                {
                SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
                return 0;
@@ -353,6 +356,9 @@ SSL *SSL_new(SSL_CTX *ctx)
        s->tlsext_ocsp_resplen = -1;
        CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
        s->initial_ctx=ctx;
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        s->next_proto_negotiated = NULL;
+# endif
 #endif
        s->verify_result=X509_V_OK;
@@ -586,6 +592,14 @@ void SSL_free(SSL *s)
                kssl_ctx_free(s->kssl_ctx);
 #endif  /* OPENSSL_NO_KRB5 */
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+        if (s->next_proto_negotiated)
+                OPENSSL_free(s->next_proto_negotiated);
+#endif
+        if (s->srtp_profiles)
+            sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
        OPENSSL_free(s);
        }
@@ -1008,10 +1022,21 @@ int SSL_shutdown(SSL *s)
 int SSL_renegotiate(SSL *s)
        {
-        if (s->new_session == 0)
+        if (s->renegotiate == 0)
-                {
+                s->renegotiate=1;
-                s->new_session=1;
-                }
+        s->new_session=1;
+        return(s->method->ssl_renegotiate(s));
+        }
+int SSL_renegotiate_abbreviated(SSL *s)
+        {
+        if (s->renegotiate == 0)
+                s->renegotiate=1;
+        s->new_session=0;
        return(s->method->ssl_renegotiate(s));
        }
@@ -1019,7 +1044,7 @@ int SSL_renegotiate_pending(SSL *s)
        {
        /* becomes true when negotiation is requested;
         * false again once a handshake has finished */
-        return (s->new_session != 0);
+        return (s->renegotiate != 0);
        }
 long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -1054,8 +1079,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                s->max_cert_list=larg;
                return(l);
        case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
                if (larg < (long)dtls1_min_mtu())
                        return 0;
+#endif
                if (SSL_version(s) == DTLS1_VERSION ||
                    SSL_version(s) == DTLS1_BAD_VER)
@@ -1355,6 +1382,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                {
                c=sk_SSL_CIPHER_value(sk,i);
+                /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
+                if ((c->algorithm_ssl & SSL_TLSV1_2) && 
+                        (TLS1_get_client_version(s) < TLS1_2_VERSION))
+                        continue;
 #ifndef OPENSSL_NO_KRB5
                if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
                    nokrb5)
@@ -1372,7 +1403,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
        /* If p == q, no ciphers and caller indicates an error. Otherwise
         * add SCSV if not renegotiating.
         */
-        if (p != q && !s->new_session)
+        if (p != q && !s->renegotiate)
                {
                static SSL_CIPHER scsv =
                        {
@@ -1419,7 +1450,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
                        (p[n-1] == (SSL3_CK_SCSV & 0xff)))
                        {
                        /* SCSV fatal if renegotiating */
-                        if (s->new_session)
+                        if (s->renegotiate)
                                {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 
@@ -1476,8 +1507,137 @@ int SSL_get_servername_type(const SSL *s)
                return TLSEXT_NAMETYPE_host_name;
        return -1;
        }
+# ifndef OPENSSL_NO_NEXTPROTONEG
+/* SSL_select_next_proto implements the standard protocol selection. It is
+ * expected that this function is called from the callback set by
+ * SSL_CTX_set_next_proto_select_cb.
+ *
+ * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
+ * strings. The length byte itself is not included in the length. A byte
+ * string of length 0 is invalid. No byte string may be truncated.
+ *
+ * The current, but experimental algorithm for selecting the protocol is:
+ *
+ * 1) If the server doesn't support NPN then this is indicated to the
+ * callback. In this case, the client application has to abort the connection
+ * or have a default application level protocol.
+ *
+ * 2) If the server supports NPN, but advertises an empty list then the
+ * client selects the first protcol in its list, but indicates via the
+ * API that this fallback case was enacted.
+ *
+ * 3) Otherwise, the client finds the first protocol in the server's list
+ * that it supports and selects this protocol. This is because it's
+ * assumed that the server has better information about which protocol
+ * a client should use.
+ *
+ * 4) If the client doesn't support any of the server's advertised
+ * protocols, then this is treated the same as case 2.
+ *
+ * It returns either
+ * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
+ * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
+ */
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
+        {
+        unsigned int i, j;
+        const unsigned char *result;
+        int status = OPENSSL_NPN_UNSUPPORTED;
+        /* For each protocol in server preference order, see if we support it. */
+        for (i = 0; i < server_len; )
+                {
+                for (j = 0; j < client_len; )
+                        {
+                        if (server[i] == client[j] &&
+                            memcmp(&server[i+1], &client[j+1], server[i]) == 0)
+                                {
+                                /* We found a match */
+                                result = &server[i];
+                                status = OPENSSL_NPN_NEGOTIATED;
+                                goto found;
+                                }
+                        j += client[j];
+                        j++;
+                        }
+                i += server[i];
+                i++;
+                }
+        /* There's no overlap between our protocols and the server's list. */
+        result = client;
+        status = OPENSSL_NPN_NO_OVERLAP;
+        found:
+        *out = (unsigned char *) result + 1;
+        *outlen = result[0];
+        return status;
+        }
+/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
+ * requested protocol for this connection and returns 0. If the client didn't
+ * request any protocol, then *data is set to NULL.
+ *
+ * Note that the client can request any protocol it chooses. The value returned
+ * from this function need not be a member of the list of supported protocols
+ * provided by the callback.
+ */
+void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
+        {
+        *data = s->next_proto_negotiated;
+        if (!*data) {
+                *len = 0;
+        } else {
+                *len = s->next_proto_negotiated_len;
+        }
+}
+/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
+ * TLS server needs a list of supported protocols for Next Protocol
+ * Negotiation. The returned list must be in wire format.  The list is returned
+ * by setting |out| to point to it and |outlen| to its length. This memory will
+ * not be modified, but one should assume that the SSL* keeps a reference to
+ * it.
+ *
+ * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
+ * such extension will be included in the ServerHello. */
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
+        {
+        ctx->next_protos_advertised_cb = cb;
+        ctx->next_protos_advertised_cb_arg = arg;
+        }
+/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
+ * client needs to select a protocol from the server's provided list. |out|
+ * must be set to point to the selected protocol (which may be within |in|).
+ * The length of the protocol name must be written into |outlen|. The server's
+ * advertised protocols are provided in |in| and |inlen|. The callback can
+ * assume that |in| is syntactically valid.
+ *
+ * The client must select a protocol. It is fatal to the connection if this
+ * callback returns a value other than SSL_TLSEXT_ERR_OK.
+ */
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
+        {
+        ctx->next_proto_select_cb = cb;
+        ctx->next_proto_select_cb_arg = arg;
+        }
+# endif
 #endif
+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+        const char *label, size_t llen, const unsigned char *p, size_t plen,
+        int use_context)
+        {
+        if (s->version < TLS1_VERSION)
+                return -1;
+        return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
+                                                           llen, p, plen,
+                                                           use_context);
+        }
 static unsigned long ssl_session_hash(const SSL_SESSION *a)
        {
        unsigned long l;
@@ -1521,6 +1681,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
                return(NULL);
                }
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+                {
+                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                return NULL;
+                }
+#endif
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1640,12 +1808,19 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->tlsext_status_cb = 0;
        ret->tlsext_status_arg = NULL;
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        ret->next_protos_advertised_cb = 0;
+        ret->next_proto_select_cb = 0;
+# endif
 #endif
 #ifndef OPENSSL_NO_PSK
        ret->psk_identity_hint=NULL;
        ret->psk_client_callback=NULL;
        ret->psk_server_callback=NULL;
 #endif
+#ifndef OPENSSL_NO_SRP
+        SSL_CTX_SRP_CTX_init(ret);
+#endif
 #ifndef OPENSSL_NO_BUF_FREELISTS
        ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
        ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1774,10 +1949,16 @@ void SSL_CTX_free(SSL_CTX *a)
        a->comp_methods = NULL;
 #endif
+        if (a->srtp_profiles)
+                sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
 #ifndef OPENSSL_NO_PSK
        if (a->psk_identity_hint)
                OPENSSL_free(a->psk_identity_hint);
 #endif
+#ifndef OPENSSL_NO_SRP
+        SSL_CTX_SRP_CTX_free(a);
+#endif
 #ifndef OPENSSL_NO_ENGINE
        if (a->client_cert_engine)
                ENGINE_finish(a->client_cert_engine);
@@ -2031,12 +2212,13 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 #ifndef OPENSSL_NO_EC
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
        {
        unsigned long alg_k, alg_a;
        EVP_PKEY *pkey = NULL;
        int keysize = 0;
        int signature_nid = 0, md_nid = 0, pk_nid = 0;
+        const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
        alg_k = cs->algorithm_mkey;
        alg_a = cs->algorithm_auth;
@@ -2066,7 +2248,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                        return 0;
                        }
-                if (alg_k & SSL_kECDHe)
+                if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be ECDSA */
                        if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2075,7 +2257,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
                                return 0;
                                }
                        }
-                if (alg_k & SSL_kECDHr)
+                if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
                        {
                        /* signature alg must be RSA */
@@ -2165,34 +2347,36 @@ X509 *ssl_get_server_send_cert(SSL *s)
        return(c->pkeys[i].x509);
        }
-EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
        {
        unsigned long alg_a;
        CERT *c;
+        int idx = -1;
        alg_a = cipher->algorithm_auth;
        c=s->cert;
        if ((alg_a & SSL_aDSS) &&
                (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-                return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
+                idx = SSL_PKEY_DSA_SIGN;
        else if (alg_a & SSL_aRSA)
                {
                if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
+                        idx = SSL_PKEY_RSA_SIGN;
                else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-                        return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+                        idx = SSL_PKEY_RSA_ENC;
-                else
-                        return(NULL);
                }
        else if ((alg_a & SSL_aECDSA) &&
                 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
-                return(c->pkeys[SSL_PKEY_ECC].privatekey);
+                idx = SSL_PKEY_ECC;
-        else /* if (alg_a & SSL_aNULL) */
+        if (idx == -1)
                {
                SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
                return(NULL);
                }
+        if (pmd)
+                *pmd = c->pkeys[idx].digest;
+        return c->pkeys[idx].privatekey;
        }
 void ssl_update_cache(SSL *s,int mode)
@@ -2417,6 +2601,10 @@ SSL_METHOD *ssl_bad_method(int ver)
 const char *SSL_get_version(const SSL *s)
        {
+        if (s->version == TLS1_2_VERSION)
+                return("TLSv1.2");
+        else if (s->version == TLS1_1_VERSION)
+                return("TLSv1.1");
        if (s->version == TLS1_VERSION)
                return("TLSv1");
        else if (s->version == SSL3_VERSION)
@@ -2511,6 +2699,7 @@ SSL *SSL_dup(SSL *s)
        ret->in_handshake = s->in_handshake;
        ret->handshake_func = s->handshake_func;
        ret->server = s->server;
+        ret->renegotiate = s->renegotiate;
        ret->new_session = s->new_session;
        ret->quiet_shutdown = s->quiet_shutdown;
        ret->shutdown=s->shutdown;
@@ -2776,6 +2965,11 @@ int SSL_state(const SSL *ssl)
        return(ssl->state);
        }
+void SSL_set_state(SSL *ssl, int state)
+        {
+        ssl->state = state;
+        }
 void SSL_set_verify_result(SSL *ssl,long arg)
        {
        ssl->verify_result=arg;
@@ -3034,6 +3228,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
        *hash=NULL;
 }
+void SSL_set_debug(SSL *s, int debug)
+        {
+        s->debug = debug;
+        }
+int SSL_cache_hit(SSL *s)
+        {
+        return s->hit;
+        }
 #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
 #include "../crypto/bio/bss_file.c"
 #endif
@@ -3042,4 +3246,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
 IMPLEMENT_STACK_OF(SSL_COMP)
 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
                                    ssl_cipher_id);

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 7755476de3..c91f0018e4 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
176	0, /* client_finished_label_len */	176	0, /* client_finished_label_len */
177	NULL, /* server_finished_label */	177	NULL, /* server_finished_label */
178	0, /* server_finished_label_len */	178	0, /* server_finished_label_len */
179	(int (*)(int))ssl_undefined_function	179	(int (*)(int))ssl_undefined_function,
		180	(int ()(SSL , unsigned char , size_t, const char ,
		181	size_t, const unsigned char *, size_t,
		182	int use_context)) ssl_undefined_function,
180	};	183	};
181		184
182	int SSL_clear(SSL *s)	185	int SSL_clear(SSL *s)
@@ -202,9 +205,9 @@ int SSL_clear(SSL *s)
202	* needed because SSL_clear is not called when doing renegotiation) */	205	* needed because SSL_clear is not called when doing renegotiation) */
203	/* This is set if we are doing dynamic renegotiation so keep	206	/* This is set if we are doing dynamic renegotiation so keep
204	* the old cipher. It is sort of a SSL_clear_lite :-) */	207	* the old cipher. It is sort of a SSL_clear_lite :-) */
205	if (s->new_session) return(1);	208	if (s->renegotiate) return(1);
206	#else	209	#else
207	if (s->new_session)	210	if (s->renegotiate)
208	{	211	{
209	SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);	212	SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
210	return 0;	213	return 0;
@@ -353,6 +356,9 @@ SSL SSL_new(SSL_CTX ctx)
353	s->tlsext_ocsp_resplen = -1;	356	s->tlsext_ocsp_resplen = -1;
354	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);	357	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
355	s->initial_ctx=ctx;	358	s->initial_ctx=ctx;
		359	# ifndef OPENSSL_NO_NEXTPROTONEG
		360	s->next_proto_negotiated = NULL;
		361	# endif
356	#endif	362	#endif
357		363
358	s->verify_result=X509_V_OK;	364	s->verify_result=X509_V_OK;
@@ -586,6 +592,14 @@ void SSL_free(SSL *s)
586	kssl_ctx_free(s->kssl_ctx);	592	kssl_ctx_free(s->kssl_ctx);
587	#endif /* OPENSSL_NO_KRB5 */	593	#endif /* OPENSSL_NO_KRB5 */
588		594
		595	#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
		596	if (s->next_proto_negotiated)
		597	OPENSSL_free(s->next_proto_negotiated);
		598	#endif
		599
		600	if (s->srtp_profiles)
		601	sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
		602
589	OPENSSL_free(s);	603	OPENSSL_free(s);
590	}	604	}
591		605
@@ -1008,10 +1022,21 @@ int SSL_shutdown(SSL *s)
1008		1022
1009	int SSL_renegotiate(SSL *s)	1023	int SSL_renegotiate(SSL *s)
1010	{	1024	{
1011	if (s->new_session == 0)	1025	if (s->renegotiate == 0)
1012	{	1026	s->renegotiate=1;
1013	s->new_session=1;	1027
1014	}	1028	s->new_session=1;
		1029
		1030	return(s->method->ssl_renegotiate(s));
		1031	}
		1032
		1033	int SSL_renegotiate_abbreviated(SSL *s)
		1034	{
		1035	if (s->renegotiate == 0)
		1036	s->renegotiate=1;
		1037
		1038	s->new_session=0;
		1039
1015	return(s->method->ssl_renegotiate(s));	1040	return(s->method->ssl_renegotiate(s));
1016	}	1041	}
1017		1042
@@ -1019,7 +1044,7 @@ int SSL_renegotiate_pending(SSL *s)
1019	{	1044	{
1020	/* becomes true when negotiation is requested;	1045	/* becomes true when negotiation is requested;
1021	* false again once a handshake has finished */	1046	* false again once a handshake has finished */
1022	return (s->new_session != 0);	1047	return (s->renegotiate != 0);
1023	}	1048	}
1024		1049
1025	long SSL_ctrl(SSL s,int cmd,long larg,void parg)	1050	long SSL_ctrl(SSL s,int cmd,long larg,void parg)
@@ -1054,8 +1079,10 @@ long SSL_ctrl(SSL s,int cmd,long larg,void parg)
1054	s->max_cert_list=larg;	1079	s->max_cert_list=larg;
1055	return(l);	1080	return(l);
1056	case SSL_CTRL_SET_MTU:	1081	case SSL_CTRL_SET_MTU:
		1082	#ifndef OPENSSL_NO_DTLS1
1057	if (larg < (long)dtls1_min_mtu())	1083	if (larg < (long)dtls1_min_mtu())
1058	return 0;	1084	return 0;
		1085	#endif
1059		1086
1060	if (SSL_version(s) == DTLS1_VERSION \|\|	1087	if (SSL_version(s) == DTLS1_VERSION \|\|
1061	SSL_version(s) == DTLS1_BAD_VER)	1088	SSL_version(s) == DTLS1_BAD_VER)
@@ -1355,6 +1382,10 @@ int ssl_cipher_list_to_bytes(SSL s,STACK_OF(SSL_CIPHER) sk,unsigned char *p,
1355	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)	1382	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1356	{	1383	{
1357	c=sk_SSL_CIPHER_value(sk,i);	1384	c=sk_SSL_CIPHER_value(sk,i);
		1385	/* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
		1386	if ((c->algorithm_ssl & SSL_TLSV1_2) &&
		1387	(TLS1_get_client_version(s) < TLS1_2_VERSION))
		1388	continue;
1358	#ifndef OPENSSL_NO_KRB5	1389	#ifndef OPENSSL_NO_KRB5
1359	if (((c->algorithm_mkey & SSL_kKRB5) \|\| (c->algorithm_auth & SSL_aKRB5)) &&	1390	if (((c->algorithm_mkey & SSL_kKRB5) \|\| (c->algorithm_auth & SSL_aKRB5)) &&
1360	nokrb5)	1391	nokrb5)
@@ -1372,7 +1403,7 @@ int ssl_cipher_list_to_bytes(SSL s,STACK_OF(SSL_CIPHER) sk,unsigned char *p,
1372	/* If p == q, no ciphers and caller indicates an error. Otherwise	1403	/* If p == q, no ciphers and caller indicates an error. Otherwise
1373	* add SCSV if not renegotiating.	1404	* add SCSV if not renegotiating.
1374	*/	1405	*/
1375	if (p != q && !s->new_session)	1406	if (p != q && !s->renegotiate)
1376	{	1407	{
1377	static SSL_CIPHER scsv =	1408	static SSL_CIPHER scsv =
1378	{	1409	{
@@ -1419,7 +1450,7 @@ STACK_OF(SSL_CIPHER) ssl_bytes_to_cipher_list(SSL s,unsigned char *p,int num,
1419	(p[n-1] == (SSL3_CK_SCSV & 0xff)))	1450	(p[n-1] == (SSL3_CK_SCSV & 0xff)))
1420	{	1451	{
1421	/* SCSV fatal if renegotiating */	1452	/* SCSV fatal if renegotiating */
1422	if (s->new_session)	1453	if (s->renegotiate)
1423	{	1454	{
1424	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);	1455	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1425	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);	1456	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
@@ -1476,8 +1507,137 @@ int SSL_get_servername_type(const SSL *s)
1476	return TLSEXT_NAMETYPE_host_name;	1507	return TLSEXT_NAMETYPE_host_name;
1477	return -1;	1508	return -1;
1478	}	1509	}
		1510
		1511	# ifndef OPENSSL_NO_NEXTPROTONEG
		1512	/* SSL_select_next_proto implements the standard protocol selection. It is
		1513	* expected that this function is called from the callback set by
		1514	* SSL_CTX_set_next_proto_select_cb.
		1515	*
		1516	* The protocol data is assumed to be a vector of 8-bit, length prefixed byte
		1517	* strings. The length byte itself is not included in the length. A byte
		1518	* string of length 0 is invalid. No byte string may be truncated.
		1519	*
		1520	* The current, but experimental algorithm for selecting the protocol is:
		1521	*
		1522	* 1) If the server doesn't support NPN then this is indicated to the
		1523	* callback. In this case, the client application has to abort the connection
		1524	* or have a default application level protocol.
		1525	*
		1526	* 2) If the server supports NPN, but advertises an empty list then the
		1527	* client selects the first protcol in its list, but indicates via the
		1528	* API that this fallback case was enacted.
		1529	*
		1530	* 3) Otherwise, the client finds the first protocol in the server's list
		1531	* that it supports and selects this protocol. This is because it's
		1532	* assumed that the server has better information about which protocol
		1533	* a client should use.
		1534	*
		1535	* 4) If the client doesn't support any of the server's advertised
		1536	* protocols, then this is treated the same as case 2.
		1537	*
		1538	* It returns either
		1539	* OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
		1540	* OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
		1541	*/
		1542	int SSL_select_next_proto(unsigned char *out, unsigned char outlen, const unsigned char server, unsigned int server_len, const unsigned char client, unsigned int client_len)
		1543	{
		1544	unsigned int i, j;
		1545	const unsigned char *result;
		1546	int status = OPENSSL_NPN_UNSUPPORTED;
		1547
		1548	/* For each protocol in server preference order, see if we support it. */
		1549	for (i = 0; i < server_len; )
		1550	{
		1551	for (j = 0; j < client_len; )
		1552	{
		1553	if (server[i] == client[j] &&
		1554	memcmp(&server[i+1], &client[j+1], server[i]) == 0)
		1555	{
		1556	/* We found a match */
		1557	result = &server[i];
		1558	status = OPENSSL_NPN_NEGOTIATED;
		1559	goto found;
		1560	}
		1561	j += client[j];
		1562	j++;
		1563	}
		1564	i += server[i];
		1565	i++;
		1566	}
		1567
		1568	/* There's no overlap between our protocols and the server's list. */
		1569	result = client;
		1570	status = OPENSSL_NPN_NO_OVERLAP;
		1571
		1572	found:
		1573	out = (unsigned char ) result + 1;
		1574	*outlen = result[0];
		1575	return status;
		1576	}
		1577
		1578	/* SSL_get0_next_proto_negotiated sets data and len to point to the client's
		1579	* requested protocol for this connection and returns 0. If the client didn't
		1580	* request any protocol, then *data is set to NULL.
		1581	*
		1582	* Note that the client can request any protocol it chooses. The value returned
		1583	* from this function need not be a member of the list of supported protocols
		1584	* provided by the callback.
		1585	*/
		1586	void SSL_get0_next_proto_negotiated(const SSL s, const unsigned char data, unsigned len)
		1587	{
		1588	*data = s->next_proto_negotiated;
		1589	if (!*data) {
		1590	*len = 0;
		1591	} else {
		1592	*len = s->next_proto_negotiated_len;
		1593	}
		1594	}
		1595
		1596	/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
		1597	* TLS server needs a list of supported protocols for Next Protocol
		1598	* Negotiation. The returned list must be in wire format. The list is returned
		1599	* by setting \|out\| to point to it and \|outlen\| to its length. This memory will
		1600	* not be modified, but one should assume that the SSL* keeps a reference to
		1601	* it.
		1602	*
		1603	* The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
		1604	* such extension will be included in the ServerHello. */
		1605	void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX ctx, int (cb) (SSL ssl, const unsigned char out, unsigned int outlen, void arg), void arg)
		1606	{
		1607	ctx->next_protos_advertised_cb = cb;
		1608	ctx->next_protos_advertised_cb_arg = arg;
		1609	}
		1610
		1611	/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
		1612	* client needs to select a protocol from the server's provided list. \|out\|
		1613	* must be set to point to the selected protocol (which may be within \|in\|).
		1614	* The length of the protocol name must be written into \|outlen\|. The server's
		1615	* advertised protocols are provided in \|in\| and \|inlen\|. The callback can
		1616	* assume that \|in\| is syntactically valid.
		1617	*
		1618	* The client must select a protocol. It is fatal to the connection if this
		1619	* callback returns a value other than SSL_TLSEXT_ERR_OK.
		1620	*/
		1621	void SSL_CTX_set_next_proto_select_cb(SSL_CTX ctx, int (cb) (SSL s, unsigned char out, unsigned char outlen, const unsigned char in, unsigned int inlen, void arg), void *arg)
		1622	{
		1623	ctx->next_proto_select_cb = cb;
		1624	ctx->next_proto_select_cb_arg = arg;
		1625	}
		1626	# endif
1479	#endif	1627	#endif
1480		1628
		1629	int SSL_export_keying_material(SSL s, unsigned char out, size_t olen,
		1630	const char label, size_t llen, const unsigned char p, size_t plen,
		1631	int use_context)
		1632	{
		1633	if (s->version < TLS1_VERSION)
		1634	return -1;
		1635
		1636	return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
		1637	llen, p, plen,
		1638	use_context);
		1639	}
		1640
1481	static unsigned long ssl_session_hash(const SSL_SESSION *a)	1641	static unsigned long ssl_session_hash(const SSL_SESSION *a)
1482	{	1642	{
1483	unsigned long l;	1643	unsigned long l;
@@ -1521,6 +1681,14 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
1521	return(NULL);	1681	return(NULL);
1522	}	1682	}
1523		1683
		1684	#ifdef OPENSSL_FIPS
		1685	if (FIPS_mode() && (meth->version < TLS1_VERSION))
		1686	{
		1687	SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		1688	return NULL;
		1689	}
		1690	#endif
		1691
1524	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)	1692	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1525	{	1693	{
1526	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);	1694	SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1640,12 +1808,19 @@ SSL_CTX SSL_CTX_new(const SSL_METHOD meth)
1640	ret->tlsext_status_cb = 0;	1808	ret->tlsext_status_cb = 0;
1641	ret->tlsext_status_arg = NULL;	1809	ret->tlsext_status_arg = NULL;
1642		1810
		1811	# ifndef OPENSSL_NO_NEXTPROTONEG
		1812	ret->next_protos_advertised_cb = 0;
		1813	ret->next_proto_select_cb = 0;
		1814	# endif
1643	#endif	1815	#endif
1644	#ifndef OPENSSL_NO_PSK	1816	#ifndef OPENSSL_NO_PSK
1645	ret->psk_identity_hint=NULL;	1817	ret->psk_identity_hint=NULL;
1646	ret->psk_client_callback=NULL;	1818	ret->psk_client_callback=NULL;
1647	ret->psk_server_callback=NULL;	1819	ret->psk_server_callback=NULL;
1648	#endif	1820	#endif
		1821	#ifndef OPENSSL_NO_SRP
		1822	SSL_CTX_SRP_CTX_init(ret);
		1823	#endif
1649	#ifndef OPENSSL_NO_BUF_FREELISTS	1824	#ifndef OPENSSL_NO_BUF_FREELISTS
1650	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;	1825	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1651	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));	1826	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1774,10 +1949,16 @@ void SSL_CTX_free(SSL_CTX *a)
1774	a->comp_methods = NULL;	1949	a->comp_methods = NULL;
1775	#endif	1950	#endif
1776		1951
		1952	if (a->srtp_profiles)
		1953	sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
		1954
1777	#ifndef OPENSSL_NO_PSK	1955	#ifndef OPENSSL_NO_PSK
1778	if (a->psk_identity_hint)	1956	if (a->psk_identity_hint)
1779	OPENSSL_free(a->psk_identity_hint);	1957	OPENSSL_free(a->psk_identity_hint);
1780	#endif	1958	#endif
		1959	#ifndef OPENSSL_NO_SRP
		1960	SSL_CTX_SRP_CTX_free(a);
		1961	#endif
1781	#ifndef OPENSSL_NO_ENGINE	1962	#ifndef OPENSSL_NO_ENGINE
1782	if (a->client_cert_engine)	1963	if (a->client_cert_engine)
1783	ENGINE_finish(a->client_cert_engine);	1964	ENGINE_finish(a->client_cert_engine);
@@ -2031,12 +2212,13 @@ void ssl_set_cert_masks(CERT c, const SSL_CIPHER cipher)
2031		2212
2032	#ifndef OPENSSL_NO_EC	2213	#ifndef OPENSSL_NO_EC
2033		2214
2034	int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)	2215	int ssl_check_srvr_ecc_cert_and_alg(X509 x, SSL s)
2035	{	2216	{
2036	unsigned long alg_k, alg_a;	2217	unsigned long alg_k, alg_a;
2037	EVP_PKEY *pkey = NULL;	2218	EVP_PKEY *pkey = NULL;
2038	int keysize = 0;	2219	int keysize = 0;
2039	int signature_nid = 0, md_nid = 0, pk_nid = 0;	2220	int signature_nid = 0, md_nid = 0, pk_nid = 0;
		2221	const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2040		2222
2041	alg_k = cs->algorithm_mkey;	2223	alg_k = cs->algorithm_mkey;
2042	alg_a = cs->algorithm_auth;	2224	alg_a = cs->algorithm_auth;
@@ -2066,7 +2248,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2066	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);	2248	SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2067	return 0;	2249	return 0;
2068	}	2250	}
2069	if (alg_k & SSL_kECDHe)	2251	if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
2070	{	2252	{
2071	/* signature alg must be ECDSA */	2253	/* signature alg must be ECDSA */
2072	if (pk_nid != NID_X9_62_id_ecPublicKey)	2254	if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2075,7 +2257,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 x, const SSL_CIPHER cs)
2075	return 0;	2257	return 0;
2076	}	2258	}
2077	}	2259	}
2078	if (alg_k & SSL_kECDHr)	2260	if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
2079	{	2261	{
2080	/* signature alg must be RSA */	2262	/* signature alg must be RSA */
2081		2263
@@ -2165,34 +2347,36 @@ X509 ssl_get_server_send_cert(SSL s)
2165	return(c->pkeys[i].x509);	2347	return(c->pkeys[i].x509);
2166	}	2348	}
2167		2349
2168	EVP_PKEY ssl_get_sign_pkey(SSL s,const SSL_CIPHER *cipher)	2350	EVP_PKEY ssl_get_sign_pkey(SSL s,const SSL_CIPHER cipher, const EVP_MD *pmd)
2169	{	2351	{
2170	unsigned long alg_a;	2352	unsigned long alg_a;
2171	CERT *c;	2353	CERT *c;
		2354	int idx = -1;
2172		2355
2173	alg_a = cipher->algorithm_auth;	2356	alg_a = cipher->algorithm_auth;
2174	c=s->cert;	2357	c=s->cert;
2175		2358
2176	if ((alg_a & SSL_aDSS) &&	2359	if ((alg_a & SSL_aDSS) &&
2177	(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))	2360	(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2178	return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);	2361	idx = SSL_PKEY_DSA_SIGN;
2179	else if (alg_a & SSL_aRSA)	2362	else if (alg_a & SSL_aRSA)
2180	{	2363	{
2181	if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)	2364	if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2182	return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);	2365	idx = SSL_PKEY_RSA_SIGN;
2183	else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)	2366	else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2184	return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey);	2367	idx = SSL_PKEY_RSA_ENC;
2185	else
2186	return(NULL);
2187	}	2368	}
2188	else if ((alg_a & SSL_aECDSA) &&	2369	else if ((alg_a & SSL_aECDSA) &&
2189	(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))	2370	(c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2190	return(c->pkeys[SSL_PKEY_ECC].privatekey);	2371	idx = SSL_PKEY_ECC;
2191	else /* if (alg_a & SSL_aNULL) */	2372	if (idx == -1)
2192	{	2373	{
2193	SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);	2374	SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2194	return(NULL);	2375	return(NULL);
2195	}	2376	}
		2377	if (pmd)
		2378	*pmd = c->pkeys[idx].digest;
		2379	return c->pkeys[idx].privatekey;
2196	}	2380	}
2197		2381
2198	void ssl_update_cache(SSL *s,int mode)	2382	void ssl_update_cache(SSL *s,int mode)
@@ -2417,6 +2601,10 @@ SSL_METHOD *ssl_bad_method(int ver)
2417		2601
2418	const char SSL_get_version(const SSL s)	2602	const char SSL_get_version(const SSL s)
2419	{	2603	{
		2604	if (s->version == TLS1_2_VERSION)
		2605	return("TLSv1.2");
		2606	else if (s->version == TLS1_1_VERSION)
		2607	return("TLSv1.1");
2420	if (s->version == TLS1_VERSION)	2608	if (s->version == TLS1_VERSION)
2421	return("TLSv1");	2609	return("TLSv1");
2422	else if (s->version == SSL3_VERSION)	2610	else if (s->version == SSL3_VERSION)
@@ -2511,6 +2699,7 @@ SSL SSL_dup(SSL s)
2511	ret->in_handshake = s->in_handshake;	2699	ret->in_handshake = s->in_handshake;
2512	ret->handshake_func = s->handshake_func;	2700	ret->handshake_func = s->handshake_func;
2513	ret->server = s->server;	2701	ret->server = s->server;
		2702	ret->renegotiate = s->renegotiate;
2514	ret->new_session = s->new_session;	2703	ret->new_session = s->new_session;
2515	ret->quiet_shutdown = s->quiet_shutdown;	2704	ret->quiet_shutdown = s->quiet_shutdown;
2516	ret->shutdown=s->shutdown;	2705	ret->shutdown=s->shutdown;
@@ -2776,6 +2965,11 @@ int SSL_state(const SSL *ssl)
2776	return(ssl->state);	2965	return(ssl->state);
2777	}	2966	}
2778		2967
		2968	void SSL_set_state(SSL *ssl, int state)
		2969	{
		2970	ssl->state = state;
		2971	}
		2972
2779	void SSL_set_verify_result(SSL *ssl,long arg)	2973	void SSL_set_verify_result(SSL *ssl,long arg)
2780	{	2974	{
2781	ssl->verify_result=arg;	2975	ssl->verify_result=arg;
@@ -3034,6 +3228,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3034	*hash=NULL;	3228	*hash=NULL;
3035	}	3229	}
3036		3230
		3231	void SSL_set_debug(SSL *s, int debug)
		3232	{
		3233	s->debug = debug;
		3234	}
		3235
		3236	int SSL_cache_hit(SSL *s)
		3237	{
		3238	return s->hit;
		3239	}
		3240
3037	#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)	3241	#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3038	#include "../crypto/bio/bss_file.c"	3242	#include "../crypto/bio/bss_file.c"
3039	#endif	3243	#endif
@@ -3042,4 +3246,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
3042	IMPLEMENT_STACK_OF(SSL_COMP)	3246	IMPLEMENT_STACK_OF(SSL_COMP)
3043	IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,	3247	IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3044	ssl_cipher_id);	3248	ssl_cipher_id);
3045