summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/bio_ssl.c2
-rw-r--r--src/lib/libssl/d1_both.c178
-rw-r--r--src/lib/libssl/d1_clnt.c194
-rw-r--r--src/lib/libssl/d1_enc.c2
-rw-r--r--src/lib/libssl/d1_lib.c54
-rw-r--r--src/lib/libssl/d1_pkt.c167
-rw-r--r--src/lib/libssl/d1_srtp.c493
-rw-r--r--src/lib/libssl/d1_srvr.c186
-rw-r--r--src/lib/libssl/dtls1.h18
-rw-r--r--src/lib/libssl/s23_clnt.c111
-rw-r--r--src/lib/libssl/s23_srvr.c52
-rw-r--r--src/lib/libssl/s3_both.c36
-rw-r--r--src/lib/libssl/s3_clnt.c397
-rw-r--r--src/lib/libssl/s3_lib.c986
-rw-r--r--src/lib/libssl/s3_pkt.c77
-rw-r--r--src/lib/libssl/s3_srvr.c546
-rw-r--r--src/lib/libssl/srtp.h145
-rw-r--r--src/lib/libssl/ssl.h313
-rw-r--r--src/lib/libssl/ssl2.h4
-rw-r--r--src/lib/libssl/ssl3.h32
-rw-r--r--src/lib/libssl/ssl_algs.c9
-rw-r--r--src/lib/libssl/ssl_asn1.c50
-rw-r--r--src/lib/libssl/ssl_cert.c21
-rw-r--r--src/lib/libssl/ssl_ciph.c133
-rw-r--r--src/lib/libssl/ssl_err.c36
-rw-r--r--src/lib/libssl/ssl_lib.c247
-rw-r--r--src/lib/libssl/ssl_locl.h75
-rw-r--r--src/lib/libssl/ssl_sess.c160
-rw-r--r--src/lib/libssl/ssl_txt.c8
-rw-r--r--src/lib/libssl/t1_clnt.c21
-rw-r--r--src/lib/libssl/t1_enc.c309
-rw-r--r--src/lib/libssl/t1_lib.c941
-rw-r--r--src/lib/libssl/t1_meth.c22
-rw-r--r--src/lib/libssl/t1_srvr.c21
-rw-r--r--src/lib/libssl/test/CAss.cnf2
-rw-r--r--src/lib/libssl/test/P1ss.cnf2
-rw-r--r--src/lib/libssl/test/P2ss.cnf2
-rw-r--r--src/lib/libssl/test/Uss.cnf4
-rw-r--r--src/lib/libssl/test/pkits-test.pl9
-rw-r--r--src/lib/libssl/test/test.cnf2
-rw-r--r--src/lib/libssl/test/testssl10
-rw-r--r--src/lib/libssl/tls1.h209
42 files changed, 5785 insertions, 501 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index eedac8a3fc..e9552caee2 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -538,6 +538,7 @@ err:
538 538
539BIO *BIO_new_ssl_connect(SSL_CTX *ctx) 539BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
540 { 540 {
541#ifndef OPENSSL_NO_SOCK
541 BIO *ret=NULL,*con=NULL,*ssl=NULL; 542 BIO *ret=NULL,*con=NULL,*ssl=NULL;
542 543
543 if ((con=BIO_new(BIO_s_connect())) == NULL) 544 if ((con=BIO_new(BIO_s_connect())) == NULL)
@@ -549,6 +550,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
549 return(ret); 550 return(ret);
550err: 551err:
551 if (con != NULL) BIO_free(con); 552 if (con != NULL) BIO_free(con);
553#endif
552 return(NULL); 554 return(NULL);
553 } 555 }
554 556
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 9f898d6997..de8bab873f 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -227,14 +227,14 @@ int dtls1_do_write(SSL *s, int type)
227 unsigned int len, frag_off, mac_size, blocksize; 227 unsigned int len, frag_off, mac_size, blocksize;
228 228
229 /* AHA! Figure out the MTU, and stick to the right size */ 229 /* AHA! Figure out the MTU, and stick to the right size */
230 if ( ! (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) 230 if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
231 { 231 {
232 s->d1->mtu = 232 s->d1->mtu =
233 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 233 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
234 234
235 /* I've seen the kernel return bogus numbers when it doesn't know 235 /* I've seen the kernel return bogus numbers when it doesn't know
236 * (initial write), so just make sure we have a reasonable number */ 236 * (initial write), so just make sure we have a reasonable number */
237 if ( s->d1->mtu < dtls1_min_mtu()) 237 if (s->d1->mtu < dtls1_min_mtu())
238 { 238 {
239 s->d1->mtu = 0; 239 s->d1->mtu = 0;
240 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); 240 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -1084,7 +1084,11 @@ int dtls1_read_failed(SSL *s, int code)
1084 return code; 1084 return code;
1085 } 1085 }
1086 1086
1087 if ( ! SSL_in_init(s)) /* done, no need to send a retransmit */ 1087#ifndef OPENSSL_NO_HEARTBEATS
1088 if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */
1089#else
1090 if (!SSL_in_init(s)) /* done, no need to send a retransmit */
1091#endif
1088 { 1092 {
1089 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); 1093 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
1090 return code; 1094 return code;
@@ -1417,3 +1421,171 @@ dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr)
1417 1421
1418 ccs_hdr->type = *(data++); 1422 ccs_hdr->type = *(data++);
1419 } 1423 }
1424
1425int dtls1_shutdown(SSL *s)
1426 {
1427 int ret;
1428#ifndef OPENSSL_NO_SCTP
1429 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1430 !(s->shutdown & SSL_SENT_SHUTDOWN))
1431 {
1432 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
1433 if (ret < 0) return -1;
1434
1435 if (ret == 0)
1436 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
1437 }
1438#endif
1439 ret = ssl3_shutdown(s);
1440#ifndef OPENSSL_NO_SCTP
1441 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
1442#endif
1443 return ret;
1444 }
1445
1446#ifndef OPENSSL_NO_HEARTBEATS
1447int
1448dtls1_process_heartbeat(SSL *s)
1449 {
1450 unsigned char *p = &s->s3->rrec.data[0], *pl;
1451 unsigned short hbtype;
1452 unsigned int payload;
1453 unsigned int padding = 16; /* Use minimum padding */
1454
1455 /* Read type and payload length first */
1456 hbtype = *p++;
1457 n2s(p, payload);
1458 pl = p;
1459
1460 if (s->msg_callback)
1461 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1462 &s->s3->rrec.data[0], s->s3->rrec.length,
1463 s, s->msg_callback_arg);
1464
1465 if (hbtype == TLS1_HB_REQUEST)
1466 {
1467 unsigned char *buffer, *bp;
1468 int r;
1469
1470 /* Allocate memory for the response, size is 1 byte
1471 * message type, plus 2 bytes payload length, plus
1472 * payload, plus padding
1473 */
1474 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
1475 bp = buffer;
1476
1477 /* Enter response type, length and copy payload */
1478 *bp++ = TLS1_HB_RESPONSE;
1479 s2n(payload, bp);
1480 memcpy(bp, pl, payload);
1481 bp += payload;
1482 /* Random padding */
1483 RAND_pseudo_bytes(bp, padding);
1484
1485 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
1486
1487 if (r >= 0 && s->msg_callback)
1488 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1489 buffer, 3 + payload + padding,
1490 s, s->msg_callback_arg);
1491
1492 OPENSSL_free(buffer);
1493
1494 if (r < 0)
1495 return r;
1496 }
1497 else if (hbtype == TLS1_HB_RESPONSE)
1498 {
1499 unsigned int seq;
1500
1501 /* We only send sequence numbers (2 bytes unsigned int),
1502 * and 16 random bytes, so we just try to read the
1503 * sequence number */
1504 n2s(pl, seq);
1505
1506 if (payload == 18 && seq == s->tlsext_hb_seq)
1507 {
1508 dtls1_stop_timer(s);
1509 s->tlsext_hb_seq++;
1510 s->tlsext_hb_pending = 0;
1511 }
1512 }
1513
1514 return 0;
1515 }
1516
1517int
1518dtls1_heartbeat(SSL *s)
1519 {
1520 unsigned char *buf, *p;
1521 int ret;
1522 unsigned int payload = 18; /* Sequence number + random bytes */
1523 unsigned int padding = 16; /* Use minimum padding */
1524
1525 /* Only send if peer supports and accepts HB requests... */
1526 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
1527 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
1528 {
1529 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
1530 return -1;
1531 }
1532
1533 /* ...and there is none in flight yet... */
1534 if (s->tlsext_hb_pending)
1535 {
1536 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
1537 return -1;
1538 }
1539
1540 /* ...and no handshake in progress. */
1541 if (SSL_in_init(s) || s->in_handshake)
1542 {
1543 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
1544 return -1;
1545 }
1546
1547 /* Check if padding is too long, payload and padding
1548 * must not exceed 2^14 - 3 = 16381 bytes in total.
1549 */
1550 OPENSSL_assert(payload + padding <= 16381);
1551
1552 /* Create HeartBeat message, we just use a sequence number
1553 * as payload to distuingish different messages and add
1554 * some random stuff.
1555 * - Message Type, 1 byte
1556 * - Payload Length, 2 bytes (unsigned int)
1557 * - Payload, the sequence number (2 bytes uint)
1558 * - Payload, random bytes (16 bytes uint)
1559 * - Padding
1560 */
1561 buf = OPENSSL_malloc(1 + 2 + payload + padding);
1562 p = buf;
1563 /* Message Type */
1564 *p++ = TLS1_HB_REQUEST;
1565 /* Payload length (18 bytes here) */
1566 s2n(payload, p);
1567 /* Sequence number */
1568 s2n(s->tlsext_hb_seq, p);
1569 /* 16 random bytes */
1570 RAND_pseudo_bytes(p, 16);
1571 p += 16;
1572 /* Random padding */
1573 RAND_pseudo_bytes(p, padding);
1574
1575 ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
1576 if (ret >= 0)
1577 {
1578 if (s->msg_callback)
1579 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1580 buf, 3 + payload + padding,
1581 s, s->msg_callback_arg);
1582
1583 dtls1_start_timer(s);
1584 s->tlsext_hb_pending = 1;
1585 }
1586
1587 OPENSSL_free(buf);
1588
1589 return ret;
1590 }
1591#endif
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 089fa4c7f8..a6ed09c51d 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -150,7 +150,11 @@ int dtls1_connect(SSL *s)
150 unsigned long Time=(unsigned long)time(NULL); 150 unsigned long Time=(unsigned long)time(NULL);
151 void (*cb)(const SSL *ssl,int type,int val)=NULL; 151 void (*cb)(const SSL *ssl,int type,int val)=NULL;
152 int ret= -1; 152 int ret= -1;
153 int new_state,state,skip=0;; 153 int new_state,state,skip=0;
154#ifndef OPENSSL_NO_SCTP
155 unsigned char sctpauthkey[64];
156 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
157#endif
154 158
155 RAND_add(&Time,sizeof(Time),0); 159 RAND_add(&Time,sizeof(Time),0);
156 ERR_clear_error(); 160 ERR_clear_error();
@@ -164,6 +168,27 @@ int dtls1_connect(SSL *s)
164 s->in_handshake++; 168 s->in_handshake++;
165 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 169 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
166 170
171#ifndef OPENSSL_NO_SCTP
172 /* Notify SCTP BIO socket to enter handshake
173 * mode and prevent stream identifier other
174 * than 0. Will be ignored if no SCTP is used.
175 */
176 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
177#endif
178
179#ifndef OPENSSL_NO_HEARTBEATS
180 /* If we're awaiting a HeartbeatResponse, pretend we
181 * already got and don't await it anymore, because
182 * Heartbeats don't make sense during handshakes anyway.
183 */
184 if (s->tlsext_hb_pending)
185 {
186 dtls1_stop_timer(s);
187 s->tlsext_hb_pending = 0;
188 s->tlsext_hb_seq++;
189 }
190#endif
191
167 for (;;) 192 for (;;)
168 { 193 {
169 state=s->state; 194 state=s->state;
@@ -171,7 +196,7 @@ int dtls1_connect(SSL *s)
171 switch(s->state) 196 switch(s->state)
172 { 197 {
173 case SSL_ST_RENEGOTIATE: 198 case SSL_ST_RENEGOTIATE:
174 s->new_session=1; 199 s->renegotiate=1;
175 s->state=SSL_ST_CONNECT; 200 s->state=SSL_ST_CONNECT;
176 s->ctx->stats.sess_connect_renegotiate++; 201 s->ctx->stats.sess_connect_renegotiate++;
177 /* break */ 202 /* break */
@@ -226,6 +251,42 @@ int dtls1_connect(SSL *s)
226 s->hit = 0; 251 s->hit = 0;
227 break; 252 break;
228 253
254#ifndef OPENSSL_NO_SCTP
255 case DTLS1_SCTP_ST_CR_READ_SOCK:
256
257 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
258 {
259 s->s3->in_read_app_data=2;
260 s->rwstate=SSL_READING;
261 BIO_clear_retry_flags(SSL_get_rbio(s));
262 BIO_set_retry_read(SSL_get_rbio(s));
263 ret = -1;
264 goto end;
265 }
266
267 s->state=s->s3->tmp.next_state;
268 break;
269
270 case DTLS1_SCTP_ST_CW_WRITE_SOCK:
271 /* read app data until dry event */
272
273 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
274 if (ret < 0) goto end;
275
276 if (ret == 0)
277 {
278 s->s3->in_read_app_data=2;
279 s->rwstate=SSL_READING;
280 BIO_clear_retry_flags(SSL_get_rbio(s));
281 BIO_set_retry_read(SSL_get_rbio(s));
282 ret = -1;
283 goto end;
284 }
285
286 s->state=s->d1->next_state;
287 break;
288#endif
289
229 case SSL3_ST_CW_CLNT_HELLO_A: 290 case SSL3_ST_CW_CLNT_HELLO_A:
230 case SSL3_ST_CW_CLNT_HELLO_B: 291 case SSL3_ST_CW_CLNT_HELLO_B:
231 292
@@ -248,9 +309,17 @@ int dtls1_connect(SSL *s)
248 309
249 s->init_num=0; 310 s->init_num=0;
250 311
251 /* turn on buffering for the next lot of output */ 312#ifndef OPENSSL_NO_SCTP
252 if (s->bbio != s->wbio) 313 /* Disable buffering for SCTP */
253 s->wbio=BIO_push(s->bbio,s->wbio); 314 if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
315 {
316#endif
317 /* turn on buffering for the next lot of output */
318 if (s->bbio != s->wbio)
319 s->wbio=BIO_push(s->bbio,s->wbio);
320#ifndef OPENSSL_NO_SCTP
321 }
322#endif
254 323
255 break; 324 break;
256 325
@@ -260,9 +329,25 @@ int dtls1_connect(SSL *s)
260 if (ret <= 0) goto end; 329 if (ret <= 0) goto end;
261 else 330 else
262 { 331 {
263 dtls1_stop_timer(s);
264 if (s->hit) 332 if (s->hit)
333 {
334#ifndef OPENSSL_NO_SCTP
335 /* Add new shared key for SCTP-Auth,
336 * will be ignored if no SCTP used.
337 */
338 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
339 DTLS1_SCTP_AUTH_LABEL);
340
341 SSL_export_keying_material(s, sctpauthkey,
342 sizeof(sctpauthkey), labelbuffer,
343 sizeof(labelbuffer), NULL, 0, 0);
344
345 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
346 sizeof(sctpauthkey), sctpauthkey);
347#endif
348
265 s->state=SSL3_ST_CR_FINISHED_A; 349 s->state=SSL3_ST_CR_FINISHED_A;
350 }
266 else 351 else
267 s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 352 s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
268 } 353 }
@@ -354,12 +439,20 @@ int dtls1_connect(SSL *s)
354 case SSL3_ST_CR_SRVR_DONE_B: 439 case SSL3_ST_CR_SRVR_DONE_B:
355 ret=ssl3_get_server_done(s); 440 ret=ssl3_get_server_done(s);
356 if (ret <= 0) goto end; 441 if (ret <= 0) goto end;
442 dtls1_stop_timer(s);
357 if (s->s3->tmp.cert_req) 443 if (s->s3->tmp.cert_req)
358 s->state=SSL3_ST_CW_CERT_A; 444 s->s3->tmp.next_state=SSL3_ST_CW_CERT_A;
359 else 445 else
360 s->state=SSL3_ST_CW_KEY_EXCH_A; 446 s->s3->tmp.next_state=SSL3_ST_CW_KEY_EXCH_A;
361 s->init_num=0; 447 s->init_num=0;
362 448
449#ifndef OPENSSL_NO_SCTP
450 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
451 state == SSL_ST_RENEGOTIATE)
452 s->state=DTLS1_SCTP_ST_CR_READ_SOCK;
453 else
454#endif
455 s->state=s->s3->tmp.next_state;
363 break; 456 break;
364 457
365 case SSL3_ST_CW_CERT_A: 458 case SSL3_ST_CW_CERT_A:
@@ -378,6 +471,22 @@ int dtls1_connect(SSL *s)
378 dtls1_start_timer(s); 471 dtls1_start_timer(s);
379 ret=dtls1_send_client_key_exchange(s); 472 ret=dtls1_send_client_key_exchange(s);
380 if (ret <= 0) goto end; 473 if (ret <= 0) goto end;
474
475#ifndef OPENSSL_NO_SCTP
476 /* Add new shared key for SCTP-Auth,
477 * will be ignored if no SCTP used.
478 */
479 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
480 DTLS1_SCTP_AUTH_LABEL);
481
482 SSL_export_keying_material(s, sctpauthkey,
483 sizeof(sctpauthkey), labelbuffer,
484 sizeof(labelbuffer), NULL, 0, 0);
485
486 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
487 sizeof(sctpauthkey), sctpauthkey);
488#endif
489
381 /* EAY EAY EAY need to check for DH fix cert 490 /* EAY EAY EAY need to check for DH fix cert
382 * sent back */ 491 * sent back */
383 /* For TLS, cert_req is set to 2, so a cert chain 492 /* For TLS, cert_req is set to 2, so a cert chain
@@ -388,7 +497,15 @@ int dtls1_connect(SSL *s)
388 } 497 }
389 else 498 else
390 { 499 {
391 s->state=SSL3_ST_CW_CHANGE_A; 500#ifndef OPENSSL_NO_SCTP
501 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
502 {
503 s->d1->next_state=SSL3_ST_CW_CHANGE_A;
504 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
505 }
506 else
507#endif
508 s->state=SSL3_ST_CW_CHANGE_A;
392 s->s3->change_cipher_spec=0; 509 s->s3->change_cipher_spec=0;
393 } 510 }
394 511
@@ -400,7 +517,15 @@ int dtls1_connect(SSL *s)
400 dtls1_start_timer(s); 517 dtls1_start_timer(s);
401 ret=dtls1_send_client_verify(s); 518 ret=dtls1_send_client_verify(s);
402 if (ret <= 0) goto end; 519 if (ret <= 0) goto end;
403 s->state=SSL3_ST_CW_CHANGE_A; 520#ifndef OPENSSL_NO_SCTP
521 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
522 {
523 s->d1->next_state=SSL3_ST_CW_CHANGE_A;
524 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
525 }
526 else
527#endif
528 s->state=SSL3_ST_CW_CHANGE_A;
404 s->init_num=0; 529 s->init_num=0;
405 s->s3->change_cipher_spec=0; 530 s->s3->change_cipher_spec=0;
406 break; 531 break;
@@ -412,6 +537,14 @@ int dtls1_connect(SSL *s)
412 ret=dtls1_send_change_cipher_spec(s, 537 ret=dtls1_send_change_cipher_spec(s,
413 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
414 if (ret <= 0) goto end; 539 if (ret <= 0) goto end;
540
541#ifndef OPENSSL_NO_SCTP
542 /* Change to new shared key of SCTP-Auth,
543 * will be ignored if no SCTP used.
544 */
545 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
546#endif
547
415 s->state=SSL3_ST_CW_FINISHED_A; 548 s->state=SSL3_ST_CW_FINISHED_A;
416 s->init_num=0; 549 s->init_num=0;
417 550
@@ -457,9 +590,23 @@ int dtls1_connect(SSL *s)
457 if (s->hit) 590 if (s->hit)
458 { 591 {
459 s->s3->tmp.next_state=SSL_ST_OK; 592 s->s3->tmp.next_state=SSL_ST_OK;
593#ifndef OPENSSL_NO_SCTP
594 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
595 {
596 s->d1->next_state = s->s3->tmp.next_state;
597 s->s3->tmp.next_state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
598 }
599#endif
460 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 600 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
461 { 601 {
462 s->state=SSL_ST_OK; 602 s->state=SSL_ST_OK;
603#ifndef OPENSSL_NO_SCTP
604 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
605 {
606 s->d1->next_state = SSL_ST_OK;
607 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
608 }
609#endif
463 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 610 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
464 s->s3->delay_buf_pop_ret=0; 611 s->s3->delay_buf_pop_ret=0;
465 } 612 }
@@ -508,6 +655,16 @@ int dtls1_connect(SSL *s)
508 s->state=SSL3_ST_CW_CHANGE_A; 655 s->state=SSL3_ST_CW_CHANGE_A;
509 else 656 else
510 s->state=SSL_ST_OK; 657 s->state=SSL_ST_OK;
658
659#ifndef OPENSSL_NO_SCTP
660 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
661 state == SSL_ST_RENEGOTIATE)
662 {
663 s->d1->next_state=s->state;
664 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
665 }
666#endif
667
511 s->init_num=0; 668 s->init_num=0;
512 break; 669 break;
513 670
@@ -515,6 +672,13 @@ int dtls1_connect(SSL *s)
515 s->rwstate=SSL_WRITING; 672 s->rwstate=SSL_WRITING;
516 if (BIO_flush(s->wbio) <= 0) 673 if (BIO_flush(s->wbio) <= 0)
517 { 674 {
675 /* If the write error was fatal, stop trying */
676 if (!BIO_should_retry(s->wbio))
677 {
678 s->rwstate=SSL_NOTHING;
679 s->state=s->s3->tmp.next_state;
680 }
681
518 ret= -1; 682 ret= -1;
519 goto end; 683 goto end;
520 } 684 }
@@ -541,6 +705,7 @@ int dtls1_connect(SSL *s)
541 /* else do it later in ssl3_write */ 705 /* else do it later in ssl3_write */
542 706
543 s->init_num=0; 707 s->init_num=0;
708 s->renegotiate=0;
544 s->new_session=0; 709 s->new_session=0;
545 710
546 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 711 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
@@ -587,6 +752,15 @@ int dtls1_connect(SSL *s)
587 } 752 }
588end: 753end:
589 s->in_handshake--; 754 s->in_handshake--;
755
756#ifndef OPENSSL_NO_SCTP
757 /* Notify SCTP BIO socket to leave handshake
758 * mode and allow stream identifier other
759 * than 0. Will be ignored if no SCTP is used.
760 */
761 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
762#endif
763
590 if (buf != NULL) 764 if (buf != NULL)
591 BUF_MEM_free(buf); 765 BUF_MEM_free(buf);
592 if (cb != NULL) 766 if (cb != NULL)
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index becbab91c2..07a5e97ce5 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -260,7 +260,7 @@ int dtls1_enc(SSL *s, int send)
260 } 260 }
261 /* TLS 1.0 does not bound the number of padding bytes by the block size. 261 /* TLS 1.0 does not bound the number of padding bytes by the block size.
262 * All of them must have value 'padding_length'. */ 262 * All of them must have value 'padding_length'. */
263 if (i > (int)rec->length) 263 if (i + bs > (int)rec->length)
264 { 264 {
265 /* Incorrect padding. SSLerr() and ssl3_alert are done 265 /* Incorrect padding. SSLerr() and ssl3_alert are done
266 * by caller: we don't want to reveal whether this is 266 * by caller: we don't want to reveal whether this is
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index c3b77c889b..f61f718183 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -82,6 +82,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
82 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 82 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
83 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 83 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
84 tls1_alert_code, 84 tls1_alert_code,
85 tls1_export_keying_material,
85 }; 86 };
86 87
87long dtls1_default_timeout(void) 88long dtls1_default_timeout(void)
@@ -291,6 +292,15 @@ const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
291 292
292void dtls1_start_timer(SSL *s) 293void dtls1_start_timer(SSL *s)
293 { 294 {
295#ifndef OPENSSL_NO_SCTP
296 /* Disable timer for SCTP */
297 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
298 {
299 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
300 return;
301 }
302#endif
303
294 /* If timer is not set, initialize duration with 1 second */ 304 /* If timer is not set, initialize duration with 1 second */
295 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) 305 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0)
296 { 306 {
@@ -381,6 +391,7 @@ void dtls1_double_timeout(SSL *s)
381void dtls1_stop_timer(SSL *s) 391void dtls1_stop_timer(SSL *s)
382 { 392 {
383 /* Reset everything */ 393 /* Reset everything */
394 memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
384 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); 395 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
385 s->d1->timeout_duration = 1; 396 s->d1->timeout_duration = 1;
386 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout)); 397 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
@@ -388,10 +399,28 @@ void dtls1_stop_timer(SSL *s)
388 dtls1_clear_record_buffer(s); 399 dtls1_clear_record_buffer(s);
389 } 400 }
390 401
391int dtls1_handle_timeout(SSL *s) 402int dtls1_check_timeout_num(SSL *s)
392 { 403 {
393 DTLS1_STATE *state; 404 s->d1->timeout.num_alerts++;
405
406 /* Reduce MTU after 2 unsuccessful retransmissions */
407 if (s->d1->timeout.num_alerts > 2)
408 {
409 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
410 }
394 411
412 if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
413 {
414 /* fail the connection, enough alerts have been sent */
415 SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
416 return -1;
417 }
418
419 return 0;
420 }
421
422int dtls1_handle_timeout(SSL *s)
423 {
395 /* if no timer is expired, don't do anything */ 424 /* if no timer is expired, don't do anything */
396 if (!dtls1_is_timer_expired(s)) 425 if (!dtls1_is_timer_expired(s))
397 { 426 {
@@ -399,20 +428,23 @@ int dtls1_handle_timeout(SSL *s)
399 } 428 }
400 429
401 dtls1_double_timeout(s); 430 dtls1_double_timeout(s);
402 state = s->d1; 431
403 state->timeout.num_alerts++; 432 if (dtls1_check_timeout_num(s) < 0)
404 if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
405 {
406 /* fail the connection, enough alerts have been sent */
407 SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED);
408 return -1; 433 return -1;
434
435 s->d1->timeout.read_timeouts++;
436 if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
437 {
438 s->d1->timeout.read_timeouts = 1;
409 } 439 }
410 440
411 state->timeout.read_timeouts++; 441#ifndef OPENSSL_NO_HEARTBEATS
412 if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) 442 if (s->tlsext_hb_pending)
413 { 443 {
414 state->timeout.read_timeouts = 1; 444 s->tlsext_hb_pending = 0;
445 return dtls1_heartbeat(s);
415 } 446 }
447#endif
416 448
417 dtls1_start_timer(s); 449 dtls1_start_timer(s);
418 return dtls1_retransmit_buffered_messages(s); 450 return dtls1_retransmit_buffered_messages(s);
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index e0c0f0cc9a..987af60835 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -179,7 +179,6 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
179static int dtls1_buffer_record(SSL *s, record_pqueue *q, 179static int dtls1_buffer_record(SSL *s, record_pqueue *q,
180 unsigned char *priority); 180 unsigned char *priority);
181static int dtls1_process_record(SSL *s); 181static int dtls1_process_record(SSL *s);
182static void dtls1_clear_timeouts(SSL *s);
183 182
184/* copy buffered record into SSL structure */ 183/* copy buffered record into SSL structure */
185static int 184static int
@@ -232,6 +231,14 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
232 231
233 item->data = rdata; 232 item->data = rdata;
234 233
234#ifndef OPENSSL_NO_SCTP
235 /* Store bio_dgram_sctp_rcvinfo struct */
236 if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
237 (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
238 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
239 }
240#endif
241
235 /* insert should not fail, since duplicates are dropped */ 242 /* insert should not fail, since duplicates are dropped */
236 if (pqueue_insert(queue->q, item) == NULL) 243 if (pqueue_insert(queue->q, item) == NULL)
237 { 244 {
@@ -376,6 +383,7 @@ dtls1_process_record(SSL *s)
376 unsigned int mac_size; 383 unsigned int mac_size;
377 unsigned char md[EVP_MAX_MD_SIZE]; 384 unsigned char md[EVP_MAX_MD_SIZE];
378 int decryption_failed_or_bad_record_mac = 0; 385 int decryption_failed_or_bad_record_mac = 0;
386 unsigned char *mac = NULL;
379 387
380 388
381 rr= &(s->s3->rrec); 389 rr= &(s->s3->rrec);
@@ -447,19 +455,15 @@ printf("\n");
447#endif 455#endif
448 } 456 }
449 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 457 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
450 if (rr->length < mac_size) 458 if (rr->length >= mac_size)
451 { 459 {
452#if 0 /* OK only for stream ciphers */ 460 rr->length -= mac_size;
453 al=SSL_AD_DECODE_ERROR; 461 mac = &rr->data[rr->length];
454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
455 goto f_err;
456#else
457 decryption_failed_or_bad_record_mac = 1;
458#endif
459 } 462 }
460 rr->length-=mac_size; 463 else
464 rr->length = 0;
461 i=s->method->ssl3_enc->mac(s,md,0); 465 i=s->method->ssl3_enc->mac(s,md,0);
462 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 466 if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
463 { 467 {
464 decryption_failed_or_bad_record_mac = 1; 468 decryption_failed_or_bad_record_mac = 1;
465 } 469 }
@@ -644,20 +648,28 @@ again:
644 goto again; /* get another record */ 648 goto again; /* get another record */
645 } 649 }
646 650
647 /* Check whether this is a repeat, or aged record. 651#ifndef OPENSSL_NO_SCTP
648 * Don't check if we're listening and this message is 652 /* Only do replay check if no SCTP bio */
649 * a ClientHello. They can look as if they're replayed, 653 if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
650 * since they arrive from different connections and 654 {
651 * would be dropped unnecessarily. 655#endif
652 */ 656 /* Check whether this is a repeat, or aged record.
653 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && 657 * Don't check if we're listening and this message is
654 *p == SSL3_MT_CLIENT_HELLO) && 658 * a ClientHello. They can look as if they're replayed,
655 !dtls1_record_replay_check(s, bitmap)) 659 * since they arrive from different connections and
656 { 660 * would be dropped unnecessarily.
657 rr->length = 0; 661 */
658 s->packet_length=0; /* dump this record */ 662 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
659 goto again; /* get another record */ 663 *p == SSL3_MT_CLIENT_HELLO) &&
660 } 664 !dtls1_record_replay_check(s, bitmap))
665 {
666 rr->length = 0;
667 s->packet_length=0; /* dump this record */
668 goto again; /* get another record */
669 }
670#ifndef OPENSSL_NO_SCTP
671 }
672#endif
661 673
662 /* just read a 0 length packet */ 674 /* just read a 0 length packet */
663 if (rr->length == 0) goto again; 675 if (rr->length == 0) goto again;
@@ -685,7 +697,6 @@ again:
685 goto again; /* get another record */ 697 goto again; /* get another record */
686 } 698 }
687 699
688 dtls1_clear_timeouts(s); /* done waiting */
689 return(1); 700 return(1);
690 701
691 } 702 }
@@ -743,7 +754,17 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
743 754
744 /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 755 /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
745 756
757#ifndef OPENSSL_NO_SCTP
758 /* Continue handshake if it had to be interrupted to read
759 * app data with SCTP.
760 */
761 if ((!s->in_handshake && SSL_in_init(s)) ||
762 (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
763 (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
764 s->s3->in_read_app_data != 2))
765#else
746 if (!s->in_handshake && SSL_in_init(s)) 766 if (!s->in_handshake && SSL_in_init(s))
767#endif
747 { 768 {
748 /* type == SSL3_RT_APPLICATION_DATA */ 769 /* type == SSL3_RT_APPLICATION_DATA */
749 i=s->handshake_func(s); 770 i=s->handshake_func(s);
@@ -774,6 +795,15 @@ start:
774 item = pqueue_pop(s->d1->buffered_app_data.q); 795 item = pqueue_pop(s->d1->buffered_app_data.q);
775 if (item) 796 if (item)
776 { 797 {
798#ifndef OPENSSL_NO_SCTP
799 /* Restore bio_dgram_sctp_rcvinfo struct */
800 if (BIO_dgram_is_sctp(SSL_get_rbio(s)))
801 {
802 DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *) item->data;
803 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
804 }
805#endif
806
777 dtls1_copy_record(s, item); 807 dtls1_copy_record(s, item);
778 808
779 OPENSSL_free(item->data); 809 OPENSSL_free(item->data);
@@ -856,6 +886,31 @@ start:
856 rr->off=0; 886 rr->off=0;
857 } 887 }
858 } 888 }
889
890#ifndef OPENSSL_NO_SCTP
891 /* We were about to renegotiate but had to read
892 * belated application data first, so retry.
893 */
894 if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
895 rr->type == SSL3_RT_APPLICATION_DATA &&
896 (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))
897 {
898 s->rwstate=SSL_READING;
899 BIO_clear_retry_flags(SSL_get_rbio(s));
900 BIO_set_retry_read(SSL_get_rbio(s));
901 }
902
903 /* We might had to delay a close_notify alert because
904 * of reordered app data. If there was an alert and there
905 * is no message to read anymore, finally set shutdown.
906 */
907 if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
908 s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
909 {
910 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
911 return(0);
912 }
913#endif
859 return(n); 914 return(n);
860 } 915 }
861 916
@@ -883,6 +938,19 @@ start:
883 dest = s->d1->alert_fragment; 938 dest = s->d1->alert_fragment;
884 dest_len = &s->d1->alert_fragment_len; 939 dest_len = &s->d1->alert_fragment_len;
885 } 940 }
941#ifndef OPENSSL_NO_HEARTBEATS
942 else if (rr->type == TLS1_RT_HEARTBEAT)
943 {
944 dtls1_process_heartbeat(s);
945
946 /* Exit and notify application to read again */
947 rr->length = 0;
948 s->rwstate=SSL_READING;
949 BIO_clear_retry_flags(SSL_get_rbio(s));
950 BIO_set_retry_read(SSL_get_rbio(s));
951 return(-1);
952 }
953#endif
886 /* else it's a CCS message, or application data or wrong */ 954 /* else it's a CCS message, or application data or wrong */
887 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) 955 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
888 { 956 {
@@ -966,6 +1034,7 @@ start:
966 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1034 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
967 !s->s3->renegotiate) 1035 !s->s3->renegotiate)
968 { 1036 {
1037 s->new_session = 1;
969 ssl3_renegotiate(s); 1038 ssl3_renegotiate(s);
970 if (ssl3_renegotiate_check(s)) 1039 if (ssl3_renegotiate_check(s))
971 { 1040 {
@@ -1027,6 +1096,21 @@ start:
1027 s->s3->warn_alert = alert_descr; 1096 s->s3->warn_alert = alert_descr;
1028 if (alert_descr == SSL_AD_CLOSE_NOTIFY) 1097 if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1029 { 1098 {
1099#ifndef OPENSSL_NO_SCTP
1100 /* With SCTP and streams the socket may deliver app data
1101 * after a close_notify alert. We have to check this
1102 * first so that nothing gets discarded.
1103 */
1104 if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
1105 BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
1106 {
1107 s->d1->shutdown_received = 1;
1108 s->rwstate=SSL_READING;
1109 BIO_clear_retry_flags(SSL_get_rbio(s));
1110 BIO_set_retry_read(SSL_get_rbio(s));
1111 return -1;
1112 }
1113#endif
1030 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1114 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1031 return(0); 1115 return(0);
1032 } 1116 }
@@ -1133,6 +1217,15 @@ start:
1133 if (s->version == DTLS1_BAD_VER) 1217 if (s->version == DTLS1_BAD_VER)
1134 s->d1->handshake_read_seq++; 1218 s->d1->handshake_read_seq++;
1135 1219
1220#ifndef OPENSSL_NO_SCTP
1221 /* Remember that a CCS has been received,
1222 * so that an old key of SCTP-Auth can be
1223 * deleted when a CCS is sent. Will be ignored
1224 * if no SCTP is used
1225 */
1226 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
1227#endif
1228
1136 goto start; 1229 goto start;
1137 } 1230 }
1138 1231
@@ -1155,6 +1248,9 @@ start:
1155 */ 1248 */
1156 if (msg_hdr.type == SSL3_MT_FINISHED) 1249 if (msg_hdr.type == SSL3_MT_FINISHED)
1157 { 1250 {
1251 if (dtls1_check_timeout_num(s) < 0)
1252 return -1;
1253
1158 dtls1_retransmit_buffered_messages(s); 1254 dtls1_retransmit_buffered_messages(s);
1159 rr->length = 0; 1255 rr->length = 0;
1160 goto start; 1256 goto start;
@@ -1172,6 +1268,7 @@ start:
1172#else 1268#else
1173 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1269 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1174#endif 1270#endif
1271 s->renegotiate=1;
1175 s->new_session=1; 1272 s->new_session=1;
1176 } 1273 }
1177 i=s->handshake_func(s); 1274 i=s->handshake_func(s);
@@ -1268,7 +1365,16 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1268 { 1365 {
1269 int i; 1366 int i;
1270 1367
1271 if (SSL_in_init(s) && !s->in_handshake) 1368#ifndef OPENSSL_NO_SCTP
1369 /* Check if we have to continue an interrupted handshake
1370 * for reading belated app data with SCTP.
1371 */
1372 if ((SSL_in_init(s) && !s->in_handshake) ||
1373 (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1374 (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
1375#else
1376 if (SSL_in_init(s) && !s->in_handshake)
1377#endif
1272 { 1378 {
1273 i=s->handshake_func(s); 1379 i=s->handshake_func(s);
1274 if (i < 0) return(i); 1380 if (i < 0) return(i);
@@ -1768,10 +1874,3 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
1768 1874
1769 memset(seq, 0x00, seq_bytes); 1875 memset(seq, 0x00, seq_bytes);
1770 } 1876 }
1771
1772
1773static void
1774dtls1_clear_timeouts(SSL *s)
1775 {
1776 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
1777 }
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
new file mode 100644
index 0000000000..928935bd8b
--- /dev/null
+++ b/src/lib/libssl/d1_srtp.c
@@ -0,0 +1,493 @@
1/* ssl/t1_lib.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/*
112 DTLS code by Eric Rescorla <ekr@rtfm.com>
113
114 Copyright (C) 2006, Network Resonance, Inc.
115 Copyright (C) 2011, RTFM, Inc.
116*/
117
118#ifndef OPENSSL_NO_SRTP
119
120#include <stdio.h>
121#include <openssl/objects.h>
122#include "ssl_locl.h"
123#include "srtp.h"
124
125
126static SRTP_PROTECTION_PROFILE srtp_known_profiles[]=
127 {
128 {
129 "SRTP_AES128_CM_SHA1_80",
130 SRTP_AES128_CM_SHA1_80,
131 },
132 {
133 "SRTP_AES128_CM_SHA1_32",
134 SRTP_AES128_CM_SHA1_32,
135 },
136#if 0
137 {
138 "SRTP_NULL_SHA1_80",
139 SRTP_NULL_SHA1_80,
140 },
141 {
142 "SRTP_NULL_SHA1_32",
143 SRTP_NULL_SHA1_32,
144 },
145#endif
146 {0}
147 };
148
149static int find_profile_by_name(char *profile_name,
150 SRTP_PROTECTION_PROFILE **pptr,unsigned len)
151 {
152 SRTP_PROTECTION_PROFILE *p;
153
154 p=srtp_known_profiles;
155 while(p->name)
156 {
157 if((len == strlen(p->name)) && !strncmp(p->name,profile_name,
158 len))
159 {
160 *pptr=p;
161 return 0;
162 }
163
164 p++;
165 }
166
167 return 1;
168 }
169
170static int find_profile_by_num(unsigned profile_num,
171 SRTP_PROTECTION_PROFILE **pptr)
172 {
173 SRTP_PROTECTION_PROFILE *p;
174
175 p=srtp_known_profiles;
176 while(p->name)
177 {
178 if(p->id == profile_num)
179 {
180 *pptr=p;
181 return 0;
182 }
183 p++;
184 }
185
186 return 1;
187 }
188
189static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
190 {
191 STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
192
193 char *col;
194 char *ptr=(char *)profiles_string;
195
196 SRTP_PROTECTION_PROFILE *p;
197
198 if(!(profiles=sk_SRTP_PROTECTION_PROFILE_new_null()))
199 {
200 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);
201 return 1;
202 }
203
204 do
205 {
206 col=strchr(ptr,':');
207
208 if(!find_profile_by_name(ptr,&p,
209 col ? col-ptr : (int)strlen(ptr)))
210 {
211 sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
212 }
213 else
214 {
215 SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
216 return 1;
217 }
218
219 if(col) ptr=col+1;
220 } while (col);
221
222 *out=profiles;
223
224 return 0;
225 }
226
227int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,const char *profiles)
228 {
229 return ssl_ctx_make_profiles(profiles,&ctx->srtp_profiles);
230 }
231
232int SSL_set_tlsext_use_srtp(SSL *s,const char *profiles)
233 {
234 return ssl_ctx_make_profiles(profiles,&s->srtp_profiles);
235 }
236
237
238STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *s)
239 {
240 if(s != NULL)
241 {
242 if(s->srtp_profiles != NULL)
243 {
244 return s->srtp_profiles;
245 }
246 else if((s->ctx != NULL) &&
247 (s->ctx->srtp_profiles != NULL))
248 {
249 return s->ctx->srtp_profiles;
250 }
251 }
252
253 return NULL;
254 }
255
256SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s)
257 {
258 return s->srtp_profile;
259 }
260
261/* Note: this function returns 0 length if there are no
262 profiles specified */
263int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
264 {
265 int ct=0;
266 int i;
267 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0;
268 SRTP_PROTECTION_PROFILE *prof;
269
270 clnt=SSL_get_srtp_profiles(s);
271 ct=sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
272
273 if(p)
274 {
275 if(ct==0)
276 {
277 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
278 return 1;
279 }
280
281 if((2 + ct*2 + 1) > maxlen)
282 {
283 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
284 return 1;
285 }
286
287 /* Add the length */
288 s2n(ct * 2, p);
289 for(i=0;i<ct;i++)
290 {
291 prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
292 s2n(prof->id,p);
293 }
294
295 /* Add an empty use_mki value */
296 *p++ = 0;
297 }
298
299 *len=2 + ct*2 + 1;
300
301 return 0;
302 }
303
304
305int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
306 {
307 SRTP_PROTECTION_PROFILE *cprof,*sprof;
308 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
309 int ct;
310 int mki_len;
311 int i,j;
312 int id;
313 int ret;
314
315 /* Length value + the MKI length */
316 if(len < 3)
317 {
318 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
319 *al=SSL_AD_DECODE_ERROR;
320 return 1;
321 }
322
323 /* Pull off the length of the cipher suite list */
324 n2s(d, ct);
325 len -= 2;
326
327 /* Check that it is even */
328 if(ct%2)
329 {
330 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
331 *al=SSL_AD_DECODE_ERROR;
332 return 1;
333 }
334
335 /* Check that lengths are consistent */
336 if(len < (ct + 1))
337 {
338 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
339 *al=SSL_AD_DECODE_ERROR;
340 return 1;
341 }
342
343
344 clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
345
346 while(ct)
347 {
348 n2s(d,id);
349 ct-=2;
350 len-=2;
351
352 if(!find_profile_by_num(id,&cprof))
353 {
354 sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
355 }
356 else
357 {
358 ; /* Ignore */
359 }
360 }
361
362 /* Now extract the MKI value as a sanity check, but discard it for now */
363 mki_len = *d;
364 d++; len--;
365
366 if (mki_len != len)
367 {
368 SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
369 *al=SSL_AD_DECODE_ERROR;
370 return 1;
371 }
372
373 srvr=SSL_get_srtp_profiles(s);
374
375 /* Pick our most preferred profile. If no profiles have been
376 configured then the outer loop doesn't run
377 (sk_SRTP_PROTECTION_PROFILE_num() = -1)
378 and so we just return without doing anything */
379 for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
380 {
381 sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
382
383 for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
384 {
385 cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
386
387 if(cprof->id==sprof->id)
388 {
389 s->srtp_profile=sprof;
390 *al=0;
391 ret=0;
392 goto done;
393 }
394 }
395 }
396
397 ret=0;
398
399done:
400 if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
401
402 return ret;
403 }
404
405int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
406 {
407 if(p)
408 {
409 if(maxlen < 5)
410 {
411 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
412 return 1;
413 }
414
415 if(s->srtp_profile==0)
416 {
417 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_USE_SRTP_NOT_NEGOTIATED);
418 return 1;
419 }
420 s2n(2, p);
421 s2n(s->srtp_profile->id,p);
422 *p++ = 0;
423 }
424 *len=5;
425
426 return 0;
427 }
428
429
430int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
431 {
432 unsigned id;
433 int i;
434 int ct;
435
436 STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
437 SRTP_PROTECTION_PROFILE *prof;
438
439 if(len!=5)
440 {
441 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
442 *al=SSL_AD_DECODE_ERROR;
443 return 1;
444 }
445
446 n2s(d, ct);
447 if(ct!=2)
448 {
449 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
450 *al=SSL_AD_DECODE_ERROR;
451 return 1;
452 }
453
454 n2s(d,id);
455 if (*d) /* Must be no MKI, since we never offer one */
456 {
457 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
458 *al=SSL_AD_ILLEGAL_PARAMETER;
459 return 1;
460 }
461
462 clnt=SSL_get_srtp_profiles(s);
463
464 /* Throw an error if the server gave us an unsolicited extension */
465 if (clnt == NULL)
466 {
467 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_NO_SRTP_PROFILES);
468 *al=SSL_AD_DECODE_ERROR;
469 return 1;
470 }
471
472 /* Check to see if the server gave us something we support
473 (and presumably offered)
474 */
475 for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(clnt);i++)
476 {
477 prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
478
479 if(prof->id == id)
480 {
481 s->srtp_profile=prof;
482 *al=0;
483 return 0;
484 }
485 }
486
487 SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
488 *al=SSL_AD_DECODE_ERROR;
489 return 1;
490 }
491
492
493#endif
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 149983be30..29421da9aa 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -151,6 +151,10 @@ int dtls1_accept(SSL *s)
151 int ret= -1; 151 int ret= -1;
152 int new_state,state,skip=0; 152 int new_state,state,skip=0;
153 int listen; 153 int listen;
154#ifndef OPENSSL_NO_SCTP
155 unsigned char sctpauthkey[64];
156 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
157#endif
154 158
155 RAND_add(&Time,sizeof(Time),0); 159 RAND_add(&Time,sizeof(Time),0);
156 ERR_clear_error(); 160 ERR_clear_error();
@@ -168,6 +172,13 @@ int dtls1_accept(SSL *s)
168 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 172 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
169 173
170 s->d1->listen = listen; 174 s->d1->listen = listen;
175#ifndef OPENSSL_NO_SCTP
176 /* Notify SCTP BIO socket to enter handshake
177 * mode and prevent stream identifier other
178 * than 0. Will be ignored if no SCTP is used.
179 */
180 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
181#endif
171 182
172 if (s->cert == NULL) 183 if (s->cert == NULL)
173 { 184 {
@@ -175,6 +186,19 @@ int dtls1_accept(SSL *s)
175 return(-1); 186 return(-1);
176 } 187 }
177 188
189#ifndef OPENSSL_NO_HEARTBEATS
190 /* If we're awaiting a HeartbeatResponse, pretend we
191 * already got and don't await it anymore, because
192 * Heartbeats don't make sense during handshakes anyway.
193 */
194 if (s->tlsext_hb_pending)
195 {
196 dtls1_stop_timer(s);
197 s->tlsext_hb_pending = 0;
198 s->tlsext_hb_seq++;
199 }
200#endif
201
178 for (;;) 202 for (;;)
179 { 203 {
180 state=s->state; 204 state=s->state;
@@ -182,7 +206,7 @@ int dtls1_accept(SSL *s)
182 switch (s->state) 206 switch (s->state)
183 { 207 {
184 case SSL_ST_RENEGOTIATE: 208 case SSL_ST_RENEGOTIATE:
185 s->new_session=1; 209 s->renegotiate=1;
186 /* s->state=SSL_ST_ACCEPT; */ 210 /* s->state=SSL_ST_ACCEPT; */
187 211
188 case SSL_ST_BEFORE: 212 case SSL_ST_BEFORE:
@@ -227,8 +251,12 @@ int dtls1_accept(SSL *s)
227 { 251 {
228 /* Ok, we now need to push on a buffering BIO so that 252 /* Ok, we now need to push on a buffering BIO so that
229 * the output is sent in a way that TCP likes :-) 253 * the output is sent in a way that TCP likes :-)
254 * ...but not with SCTP :-)
230 */ 255 */
231 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 256#ifndef OPENSSL_NO_SCTP
257 if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
258#endif
259 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
232 260
233 ssl3_init_finished_mac(s); 261 ssl3_init_finished_mac(s);
234 s->state=SSL3_ST_SR_CLNT_HELLO_A; 262 s->state=SSL3_ST_SR_CLNT_HELLO_A;
@@ -313,25 +341,75 @@ int dtls1_accept(SSL *s)
313 ssl3_init_finished_mac(s); 341 ssl3_init_finished_mac(s);
314 break; 342 break;
315 343
344#ifndef OPENSSL_NO_SCTP
345 case DTLS1_SCTP_ST_SR_READ_SOCK:
346
347 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
348 {
349 s->s3->in_read_app_data=2;
350 s->rwstate=SSL_READING;
351 BIO_clear_retry_flags(SSL_get_rbio(s));
352 BIO_set_retry_read(SSL_get_rbio(s));
353 ret = -1;
354 goto end;
355 }
356
357 s->state=SSL3_ST_SR_FINISHED_A;
358 break;
359
360 case DTLS1_SCTP_ST_SW_WRITE_SOCK:
361 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
362 if (ret < 0) goto end;
363
364 if (ret == 0)
365 {
366 if (s->d1->next_state != SSL_ST_OK)
367 {
368 s->s3->in_read_app_data=2;
369 s->rwstate=SSL_READING;
370 BIO_clear_retry_flags(SSL_get_rbio(s));
371 BIO_set_retry_read(SSL_get_rbio(s));
372 ret = -1;
373 goto end;
374 }
375 }
376
377 s->state=s->d1->next_state;
378 break;
379#endif
380
316 case SSL3_ST_SW_SRVR_HELLO_A: 381 case SSL3_ST_SW_SRVR_HELLO_A:
317 case SSL3_ST_SW_SRVR_HELLO_B: 382 case SSL3_ST_SW_SRVR_HELLO_B:
318 s->new_session = 2; 383 s->renegotiate = 2;
319 dtls1_start_timer(s); 384 dtls1_start_timer(s);
320 ret=dtls1_send_server_hello(s); 385 ret=dtls1_send_server_hello(s);
321 if (ret <= 0) goto end; 386 if (ret <= 0) goto end;
322 387
323#ifndef OPENSSL_NO_TLSEXT
324 if (s->hit) 388 if (s->hit)
325 { 389 {
390#ifndef OPENSSL_NO_SCTP
391 /* Add new shared key for SCTP-Auth,
392 * will be ignored if no SCTP used.
393 */
394 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
395 DTLS1_SCTP_AUTH_LABEL);
396
397 SSL_export_keying_material(s, sctpauthkey,
398 sizeof(sctpauthkey), labelbuffer,
399 sizeof(labelbuffer), NULL, 0, 0);
400
401 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
402 sizeof(sctpauthkey), sctpauthkey);
403#endif
404#ifndef OPENSSL_NO_TLSEXT
326 if (s->tlsext_ticket_expected) 405 if (s->tlsext_ticket_expected)
327 s->state=SSL3_ST_SW_SESSION_TICKET_A; 406 s->state=SSL3_ST_SW_SESSION_TICKET_A;
328 else 407 else
329 s->state=SSL3_ST_SW_CHANGE_A; 408 s->state=SSL3_ST_SW_CHANGE_A;
330 }
331#else 409#else
332 if (s->hit) 410 s->state=SSL3_ST_SW_CHANGE_A;
333 s->state=SSL3_ST_SW_CHANGE_A;
334#endif 411#endif
412 }
335 else 413 else
336 s->state=SSL3_ST_SW_CERT_A; 414 s->state=SSL3_ST_SW_CERT_A;
337 s->init_num=0; 415 s->init_num=0;
@@ -441,6 +519,13 @@ int dtls1_accept(SSL *s)
441 skip=1; 519 skip=1;
442 s->s3->tmp.cert_request=0; 520 s->s3->tmp.cert_request=0;
443 s->state=SSL3_ST_SW_SRVR_DONE_A; 521 s->state=SSL3_ST_SW_SRVR_DONE_A;
522#ifndef OPENSSL_NO_SCTP
523 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
524 {
525 s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
526 s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
527 }
528#endif
444 } 529 }
445 else 530 else
446 { 531 {
@@ -450,9 +535,23 @@ int dtls1_accept(SSL *s)
450 if (ret <= 0) goto end; 535 if (ret <= 0) goto end;
451#ifndef NETSCAPE_HANG_BUG 536#ifndef NETSCAPE_HANG_BUG
452 s->state=SSL3_ST_SW_SRVR_DONE_A; 537 s->state=SSL3_ST_SW_SRVR_DONE_A;
538#ifndef OPENSSL_NO_SCTP
539 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
540 {
541 s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
542 s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
543 }
544#endif
453#else 545#else
454 s->state=SSL3_ST_SW_FLUSH; 546 s->state=SSL3_ST_SW_FLUSH;
455 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 547 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
548#ifndef OPENSSL_NO_SCTP
549 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
550 {
551 s->d1->next_state = s->s3->tmp.next_state;
552 s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
553 }
554#endif
456#endif 555#endif
457 s->init_num=0; 556 s->init_num=0;
458 } 557 }
@@ -472,6 +571,13 @@ int dtls1_accept(SSL *s)
472 s->rwstate=SSL_WRITING; 571 s->rwstate=SSL_WRITING;
473 if (BIO_flush(s->wbio) <= 0) 572 if (BIO_flush(s->wbio) <= 0)
474 { 573 {
574 /* If the write error was fatal, stop trying */
575 if (!BIO_should_retry(s->wbio))
576 {
577 s->rwstate=SSL_NOTHING;
578 s->state=s->s3->tmp.next_state;
579 }
580
475 ret= -1; 581 ret= -1;
476 goto end; 582 goto end;
477 } 583 }
@@ -485,15 +591,16 @@ int dtls1_accept(SSL *s)
485 ret = ssl3_check_client_hello(s); 591 ret = ssl3_check_client_hello(s);
486 if (ret <= 0) 592 if (ret <= 0)
487 goto end; 593 goto end;
488 dtls1_stop_timer(s);
489 if (ret == 2) 594 if (ret == 2)
595 {
596 dtls1_stop_timer(s);
490 s->state = SSL3_ST_SR_CLNT_HELLO_C; 597 s->state = SSL3_ST_SR_CLNT_HELLO_C;
598 }
491 else { 599 else {
492 /* could be sent for a DH cert, even if we 600 /* could be sent for a DH cert, even if we
493 * have not asked for it :-) */ 601 * have not asked for it :-) */
494 ret=ssl3_get_client_certificate(s); 602 ret=ssl3_get_client_certificate(s);
495 if (ret <= 0) goto end; 603 if (ret <= 0) goto end;
496 dtls1_stop_timer(s);
497 s->init_num=0; 604 s->init_num=0;
498 s->state=SSL3_ST_SR_KEY_EXCH_A; 605 s->state=SSL3_ST_SR_KEY_EXCH_A;
499 } 606 }
@@ -503,7 +610,21 @@ int dtls1_accept(SSL *s)
503 case SSL3_ST_SR_KEY_EXCH_B: 610 case SSL3_ST_SR_KEY_EXCH_B:
504 ret=ssl3_get_client_key_exchange(s); 611 ret=ssl3_get_client_key_exchange(s);
505 if (ret <= 0) goto end; 612 if (ret <= 0) goto end;
506 dtls1_stop_timer(s); 613#ifndef OPENSSL_NO_SCTP
614 /* Add new shared key for SCTP-Auth,
615 * will be ignored if no SCTP used.
616 */
617 snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
618 DTLS1_SCTP_AUTH_LABEL);
619
620 SSL_export_keying_material(s, sctpauthkey,
621 sizeof(sctpauthkey), labelbuffer,
622 sizeof(labelbuffer), NULL, 0, 0);
623
624 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
625 sizeof(sctpauthkey), sctpauthkey);
626#endif
627
507 s->state=SSL3_ST_SR_CERT_VRFY_A; 628 s->state=SSL3_ST_SR_CERT_VRFY_A;
508 s->init_num=0; 629 s->init_num=0;
509 630
@@ -540,9 +661,13 @@ int dtls1_accept(SSL *s)
540 /* we should decide if we expected this one */ 661 /* we should decide if we expected this one */
541 ret=ssl3_get_cert_verify(s); 662 ret=ssl3_get_cert_verify(s);
542 if (ret <= 0) goto end; 663 if (ret <= 0) goto end;
543 dtls1_stop_timer(s); 664#ifndef OPENSSL_NO_SCTP
544 665 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
545 s->state=SSL3_ST_SR_FINISHED_A; 666 state == SSL_ST_RENEGOTIATE)
667 s->state=DTLS1_SCTP_ST_SR_READ_SOCK;
668 else
669#endif
670 s->state=SSL3_ST_SR_FINISHED_A;
546 s->init_num=0; 671 s->init_num=0;
547 break; 672 break;
548 673
@@ -594,6 +719,14 @@ int dtls1_accept(SSL *s)
594 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 719 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
595 720
596 if (ret <= 0) goto end; 721 if (ret <= 0) goto end;
722
723#ifndef OPENSSL_NO_SCTP
724 /* Change to new shared key of SCTP-Auth,
725 * will be ignored if no SCTP used.
726 */
727 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
728#endif
729
597 s->state=SSL3_ST_SW_FINISHED_A; 730 s->state=SSL3_ST_SW_FINISHED_A;
598 s->init_num=0; 731 s->init_num=0;
599 732
@@ -618,7 +751,16 @@ int dtls1_accept(SSL *s)
618 if (s->hit) 751 if (s->hit)
619 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 752 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
620 else 753 else
754 {
621 s->s3->tmp.next_state=SSL_ST_OK; 755 s->s3->tmp.next_state=SSL_ST_OK;
756#ifndef OPENSSL_NO_SCTP
757 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
758 {
759 s->d1->next_state = s->s3->tmp.next_state;
760 s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
761 }
762#endif
763 }
622 s->init_num=0; 764 s->init_num=0;
623 break; 765 break;
624 766
@@ -636,11 +778,9 @@ int dtls1_accept(SSL *s)
636 778
637 s->init_num=0; 779 s->init_num=0;
638 780
639 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 781 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
640 { 782 {
641 /* actually not necessarily a 'new' session unless 783 s->renegotiate=0;
642 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
643
644 s->new_session=0; 784 s->new_session=0;
645 785
646 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 786 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -692,6 +832,14 @@ end:
692 /* BIO_flush(s->wbio); */ 832 /* BIO_flush(s->wbio); */
693 833
694 s->in_handshake--; 834 s->in_handshake--;
835#ifndef OPENSSL_NO_SCTP
836 /* Notify SCTP BIO socket to leave handshake
837 * mode and prevent stream identifier other
838 * than 0. Will be ignored if no SCTP is used.
839 */
840 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
841#endif
842
695 if (cb != NULL) 843 if (cb != NULL)
696 cb(s,SSL_CB_ACCEPT_EXIT,ret); 844 cb(s,SSL_CB_ACCEPT_EXIT,ret);
697 return(ret); 845 return(ret);
@@ -772,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
772 p=s->s3->server_random; 920 p=s->s3->server_random;
773 Time=(unsigned long)time(NULL); /* Time */ 921 Time=(unsigned long)time(NULL); /* Time */
774 l2n(Time,p); 922 l2n(Time,p);
775 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 923 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
776 /* Do the message type and length last */ 924 /* Do the message type and length last */
777 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 925 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
778 926
@@ -1147,7 +1295,7 @@ int dtls1_send_server_key_exchange(SSL *s)
1147 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1295 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1148 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1296 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1149 { 1297 {
1150 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1298 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher, NULL))
1151 == NULL) 1299 == NULL)
1152 { 1300 {
1153 al=SSL_AD_DECODE_ERROR; 1301 al=SSL_AD_DECODE_ERROR;
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 2900d1d8ae..5008bf6081 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -105,6 +105,11 @@ extern "C" {
105#define DTLS1_AL_HEADER_LENGTH 2 105#define DTLS1_AL_HEADER_LENGTH 2
106#endif 106#endif
107 107
108#ifndef OPENSSL_NO_SSL_INTERN
109
110#ifndef OPENSSL_NO_SCTP
111#define DTLS1_SCTP_AUTH_LABEL "EXPORTER_DTLS_OVER_SCTP"
112#endif
108 113
109typedef struct dtls1_bitmap_st 114typedef struct dtls1_bitmap_st
110 { 115 {
@@ -227,7 +232,7 @@ typedef struct dtls1_state_st
227 232
228 struct dtls1_timeout_st timeout; 233 struct dtls1_timeout_st timeout;
229 234
230 /* Indicates when the last handshake msg sent will timeout */ 235 /* Indicates when the last handshake msg or heartbeat sent will timeout */
231 struct timeval next_timeout; 236 struct timeval next_timeout;
232 237
233 /* Timeout duration */ 238 /* Timeout duration */
@@ -243,6 +248,13 @@ typedef struct dtls1_state_st
243 unsigned int retransmitting; 248 unsigned int retransmitting;
244 unsigned int change_cipher_spec_ok; 249 unsigned int change_cipher_spec_ok;
245 250
251#ifndef OPENSSL_NO_SCTP
252 /* used when SSL_ST_XX_FLUSH is entered */
253 int next_state;
254
255 int shutdown_received;
256#endif
257
246 } DTLS1_STATE; 258 } DTLS1_STATE;
247 259
248typedef struct dtls1_record_data_st 260typedef struct dtls1_record_data_st
@@ -251,8 +263,12 @@ typedef struct dtls1_record_data_st
251 unsigned int packet_length; 263 unsigned int packet_length;
252 SSL3_BUFFER rbuf; 264 SSL3_BUFFER rbuf;
253 SSL3_RECORD rrec; 265 SSL3_RECORD rrec;
266#ifndef OPENSSL_NO_SCTP
267 struct bio_dgram_sctp_rcvinfo recordinfo;
268#endif
254 } DTLS1_RECORD_DATA; 269 } DTLS1_RECORD_DATA;
255 270
271#endif
256 272
257/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */ 273/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
258#define DTLS1_TMO_READ_COUNT 2 274#define DTLS1_TMO_READ_COUNT 2
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index c4d8bf2eb3..47673e740a 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -129,6 +129,10 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
129 return(SSLv3_client_method()); 129 return(SSLv3_client_method());
130 else if (ver == TLS1_VERSION) 130 else if (ver == TLS1_VERSION)
131 return(TLSv1_client_method()); 131 return(TLSv1_client_method());
132 else if (ver == TLS1_1_VERSION)
133 return(TLSv1_1_client_method());
134 else if (ver == TLS1_2_VERSION)
135 return(TLSv1_2_client_method());
132 else 136 else
133 return(NULL); 137 return(NULL);
134 } 138 }
@@ -278,24 +282,51 @@ static int ssl23_client_hello(SSL *s)
278 SSL_COMP *comp; 282 SSL_COMP *comp;
279#endif 283#endif
280 int ret; 284 int ret;
285 unsigned long mask, options = s->options;
281 286
282 ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; 287 ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
283 288
284 if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) 289 if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
285 ssl2_compat = 0; 290 ssl2_compat = 0;
286 291
287 if (!(s->options & SSL_OP_NO_TLSv1)) 292 /*
288 { 293 * SSL_OP_NO_X disables all protocols above X *if* there are
294 * some protocols below X enabled. This is required in order
295 * to maintain "version capability" vector contiguous. So
296 * that if application wants to disable TLS1.0 in favour of
297 * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
298 * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
299 */
300 mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
301#if !defined(OPENSSL_NO_SSL3)
302 |SSL_OP_NO_SSLv3
303#endif
304#if !defined(OPENSSL_NO_SSL2)
305 |(ssl2_compat?SSL_OP_NO_SSLv2:0)
306#endif
307 ;
308#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
309 version = TLS1_2_VERSION;
310
311 if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
312 version = TLS1_1_VERSION;
313#else
314 version = TLS1_1_VERSION;
315#endif
316 mask &= ~SSL_OP_NO_TLSv1_1;
317 if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
289 version = TLS1_VERSION; 318 version = TLS1_VERSION;
290 } 319 mask &= ~SSL_OP_NO_TLSv1;
291 else if (!(s->options & SSL_OP_NO_SSLv3)) 320#if !defined(OPENSSL_NO_SSL3)
292 { 321 if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
293 version = SSL3_VERSION; 322 version = SSL3_VERSION;
294 } 323 mask &= ~SSL_OP_NO_SSLv3;
295 else if (!(s->options & SSL_OP_NO_SSLv2)) 324#endif
296 { 325#if !defined(OPENSSL_NO_SSL2)
326 if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
297 version = SSL2_VERSION; 327 version = SSL2_VERSION;
298 } 328#endif
329
299#ifndef OPENSSL_NO_TLSEXT 330#ifndef OPENSSL_NO_TLSEXT
300 if (version != SSL2_VERSION) 331 if (version != SSL2_VERSION)
301 { 332 {
@@ -329,11 +360,29 @@ static int ssl23_client_hello(SSL *s)
329 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) 360 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
330 return -1; 361 return -1;
331 362
332 if (version == TLS1_VERSION) 363 if (version == TLS1_2_VERSION)
364 {
365 version_major = TLS1_2_VERSION_MAJOR;
366 version_minor = TLS1_2_VERSION_MINOR;
367 }
368 else if (version == TLS1_1_VERSION)
369 {
370 version_major = TLS1_1_VERSION_MAJOR;
371 version_minor = TLS1_1_VERSION_MINOR;
372 }
373 else if (version == TLS1_VERSION)
333 { 374 {
334 version_major = TLS1_VERSION_MAJOR; 375 version_major = TLS1_VERSION_MAJOR;
335 version_minor = TLS1_VERSION_MINOR; 376 version_minor = TLS1_VERSION_MINOR;
336 } 377 }
378#ifdef OPENSSL_FIPS
379 else if(FIPS_mode())
380 {
381 SSLerr(SSL_F_SSL23_CLIENT_HELLO,
382 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
383 return -1;
384 }
385#endif
337 else if (version == SSL3_VERSION) 386 else if (version == SSL3_VERSION)
338 { 387 {
339 version_major = SSL3_VERSION_MAJOR; 388 version_major = SSL3_VERSION_MAJOR;
@@ -437,6 +486,15 @@ static int ssl23_client_hello(SSL *s)
437 SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 486 SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
438 return -1; 487 return -1;
439 } 488 }
489#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
490 /* Some servers hang if client hello > 256 bytes
491 * as hack workaround chop number of supported ciphers
492 * to keep it well below this if we use TLS v1.2
493 */
494 if (TLS1_get_version(s) >= TLS1_2_VERSION
495 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
496 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
497#endif
440 s2n(i,p); 498 s2n(i,p);
441 p+=i; 499 p+=i;
442 500
@@ -491,8 +549,13 @@ static int ssl23_client_hello(SSL *s)
491 d=buf; 549 d=buf;
492 *(d++) = SSL3_RT_HANDSHAKE; 550 *(d++) = SSL3_RT_HANDSHAKE;
493 *(d++) = version_major; 551 *(d++) = version_major;
494 *(d++) = version_minor; /* arguably we should send the *lowest* suported version here 552 /* Some servers hang if we use long client hellos
495 * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ 553 * and a record number > TLS 1.0.
554 */
555 if (TLS1_get_client_version(s) > TLS1_VERSION)
556 *(d++) = 1;
557 else
558 *(d++) = version_minor;
496 s2n((int)l,d); 559 s2n((int)l,d);
497 560
498 /* number of bytes to write */ 561 /* number of bytes to write */
@@ -608,7 +671,7 @@ static int ssl23_get_server_hello(SSL *s)
608#endif 671#endif
609 } 672 }
610 else if (p[1] == SSL3_VERSION_MAJOR && 673 else if (p[1] == SSL3_VERSION_MAJOR &&
611 (p[2] == SSL3_VERSION_MINOR || p[2] == TLS1_VERSION_MINOR) && 674 p[2] <= TLS1_2_VERSION_MINOR &&
612 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || 675 ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) ||
613 (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) 676 (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2)))
614 { 677 {
@@ -617,6 +680,14 @@ static int ssl23_get_server_hello(SSL *s)
617 if ((p[2] == SSL3_VERSION_MINOR) && 680 if ((p[2] == SSL3_VERSION_MINOR) &&
618 !(s->options & SSL_OP_NO_SSLv3)) 681 !(s->options & SSL_OP_NO_SSLv3))
619 { 682 {
683#ifdef OPENSSL_FIPS
684 if(FIPS_mode())
685 {
686 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
687 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
688 goto err;
689 }
690#endif
620 s->version=SSL3_VERSION; 691 s->version=SSL3_VERSION;
621 s->method=SSLv3_client_method(); 692 s->method=SSLv3_client_method();
622 } 693 }
@@ -626,6 +697,18 @@ static int ssl23_get_server_hello(SSL *s)
626 s->version=TLS1_VERSION; 697 s->version=TLS1_VERSION;
627 s->method=TLSv1_client_method(); 698 s->method=TLSv1_client_method();
628 } 699 }
700 else if ((p[2] == TLS1_1_VERSION_MINOR) &&
701 !(s->options & SSL_OP_NO_TLSv1_1))
702 {
703 s->version=TLS1_1_VERSION;
704 s->method=TLSv1_1_client_method();
705 }
706 else if ((p[2] == TLS1_2_VERSION_MINOR) &&
707 !(s->options & SSL_OP_NO_TLSv1_2))
708 {
709 s->version=TLS1_2_VERSION;
710 s->method=TLSv1_2_client_method();
711 }
629 else 712 else
630 { 713 {
631 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); 714 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 836dd1f1cf..4877849013 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -115,6 +115,9 @@
115#include <openssl/rand.h> 115#include <openssl/rand.h>
116#include <openssl/objects.h> 116#include <openssl/objects.h>
117#include <openssl/evp.h> 117#include <openssl/evp.h>
118#ifdef OPENSSL_FIPS
119#include <openssl/fips.h>
120#endif
118 121
119static const SSL_METHOD *ssl23_get_server_method(int ver); 122static const SSL_METHOD *ssl23_get_server_method(int ver);
120int ssl23_get_client_hello(SSL *s); 123int ssl23_get_client_hello(SSL *s);
@@ -128,6 +131,10 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
128 return(SSLv3_server_method()); 131 return(SSLv3_server_method());
129 else if (ver == TLS1_VERSION) 132 else if (ver == TLS1_VERSION)
130 return(TLSv1_server_method()); 133 return(TLSv1_server_method());
134 else if (ver == TLS1_1_VERSION)
135 return(TLSv1_1_server_method());
136 else if (ver == TLS1_2_VERSION)
137 return(TLSv1_2_server_method());
131 else 138 else
132 return(NULL); 139 return(NULL);
133 } 140 }
@@ -283,7 +290,20 @@ int ssl23_get_client_hello(SSL *s)
283 /* SSLv3/TLSv1 */ 290 /* SSLv3/TLSv1 */
284 if (p[4] >= TLS1_VERSION_MINOR) 291 if (p[4] >= TLS1_VERSION_MINOR)
285 { 292 {
286 if (!(s->options & SSL_OP_NO_TLSv1)) 293 if (p[4] >= TLS1_2_VERSION_MINOR &&
294 !(s->options & SSL_OP_NO_TLSv1_2))
295 {
296 s->version=TLS1_2_VERSION;
297 s->state=SSL23_ST_SR_CLNT_HELLO_B;
298 }
299 else if (p[4] >= TLS1_1_VERSION_MINOR &&
300 !(s->options & SSL_OP_NO_TLSv1_1))
301 {
302 s->version=TLS1_1_VERSION;
303 /* type=2; */ /* done later to survive restarts */
304 s->state=SSL23_ST_SR_CLNT_HELLO_B;
305 }
306 else if (!(s->options & SSL_OP_NO_TLSv1))
287 { 307 {
288 s->version=TLS1_VERSION; 308 s->version=TLS1_VERSION;
289 /* type=2; */ /* done later to survive restarts */ 309 /* type=2; */ /* done later to survive restarts */
@@ -350,7 +370,19 @@ int ssl23_get_client_hello(SSL *s)
350 v[1]=p[10]; /* minor version according to client_version */ 370 v[1]=p[10]; /* minor version according to client_version */
351 if (v[1] >= TLS1_VERSION_MINOR) 371 if (v[1] >= TLS1_VERSION_MINOR)
352 { 372 {
353 if (!(s->options & SSL_OP_NO_TLSv1)) 373 if (v[1] >= TLS1_2_VERSION_MINOR &&
374 !(s->options & SSL_OP_NO_TLSv1_2))
375 {
376 s->version=TLS1_2_VERSION;
377 type=3;
378 }
379 else if (v[1] >= TLS1_1_VERSION_MINOR &&
380 !(s->options & SSL_OP_NO_TLSv1_1))
381 {
382 s->version=TLS1_1_VERSION;
383 type=3;
384 }
385 else if (!(s->options & SSL_OP_NO_TLSv1))
354 { 386 {
355 s->version=TLS1_VERSION; 387 s->version=TLS1_VERSION;
356 type=3; 388 type=3;
@@ -393,6 +425,15 @@ int ssl23_get_client_hello(SSL *s)
393 } 425 }
394 } 426 }
395 427
428#ifdef OPENSSL_FIPS
429 if (FIPS_mode() && (s->version < TLS1_VERSION))
430 {
431 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
432 SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
433 goto err;
434 }
435#endif
436
396 if (s->state == SSL23_ST_SR_CLNT_HELLO_B) 437 if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
397 { 438 {
398 /* we have SSLv3/TLSv1 in an SSLv2 header 439 /* we have SSLv3/TLSv1 in an SSLv2 header
@@ -567,8 +608,11 @@ int ssl23_get_client_hello(SSL *s)
567 s->s3->rbuf.left=0; 608 s->s3->rbuf.left=0;
568 s->s3->rbuf.offset=0; 609 s->s3->rbuf.offset=0;
569 } 610 }
570 611 if (s->version == TLS1_2_VERSION)
571 if (s->version == TLS1_VERSION) 612 s->method = TLSv1_2_server_method();
613 else if (s->version == TLS1_1_VERSION)
614 s->method = TLSv1_1_server_method();
615 else if (s->version == TLS1_VERSION)
572 s->method = TLSv1_server_method(); 616 s->method = TLSv1_server_method();
573 else 617 else
574 s->method = SSLv3_server_method(); 618 s->method = SSLv3_server_method();
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index a6d869df59..b63460a56d 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -202,15 +202,38 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
202 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 202 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
203 } 203 }
204 204
205#ifndef OPENSSL_NO_NEXTPROTONEG
206/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
207static void ssl3_take_mac(SSL *s) {
208 const char *sender;
209 int slen;
210
211 if (s->state & SSL_ST_CONNECT)
212 {
213 sender=s->method->ssl3_enc->server_finished_label;
214 slen=s->method->ssl3_enc->server_finished_label_len;
215 }
216 else
217 {
218 sender=s->method->ssl3_enc->client_finished_label;
219 slen=s->method->ssl3_enc->client_finished_label_len;
220 }
221
222 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
223 sender,slen,s->s3->tmp.peer_finish_md);
224}
225#endif
226
205int ssl3_get_finished(SSL *s, int a, int b) 227int ssl3_get_finished(SSL *s, int a, int b)
206 { 228 {
207 int al,i,ok; 229 int al,i,ok;
208 long n; 230 long n;
209 unsigned char *p; 231 unsigned char *p;
210 232
211 /* the mac has already been generated when we received the 233#ifdef OPENSSL_NO_NEXTPROTONEG
212 * change cipher spec message and is in s->s3->tmp.peer_finish_md 234 /* the mac has already been generated when we received the change
213 */ 235 * cipher spec message and is in s->s3->tmp.peer_finish_md. */
236#endif
214 237
215 n=s->method->ssl_get_message(s, 238 n=s->method->ssl_get_message(s,
216 a, 239 a,
@@ -514,6 +537,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
514 s->init_num += i; 537 s->init_num += i;
515 n -= i; 538 n -= i;
516 } 539 }
540#ifndef OPENSSL_NO_NEXTPROTONEG
541 /* If receiving Finished, record MAC of prior handshake messages for
542 * Finished verification. */
543 if (*s->init_buf->data == SSL3_MT_FINISHED)
544 ssl3_take_mac(s);
545#endif
546 /* Feed this message into MAC computation. */
517 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 547 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
518 if (s->msg_callback) 548 if (s->msg_callback)
519 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); 549 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 53223bd38d..b80d052e1f 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -156,6 +156,9 @@
156#include <openssl/objects.h> 156#include <openssl/objects.h>
157#include <openssl/evp.h> 157#include <openssl/evp.h>
158#include <openssl/md5.h> 158#include <openssl/md5.h>
159#ifdef OPENSSL_FIPS
160#include <openssl/fips.h>
161#endif
159#ifndef OPENSSL_NO_DH 162#ifndef OPENSSL_NO_DH
160#include <openssl/dh.h> 163#include <openssl/dh.h>
161#endif 164#endif
@@ -200,6 +203,18 @@ int ssl3_connect(SSL *s)
200 s->in_handshake++; 203 s->in_handshake++;
201 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 204 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
202 205
206#ifndef OPENSSL_NO_HEARTBEATS
207 /* If we're awaiting a HeartbeatResponse, pretend we
208 * already got and don't await it anymore, because
209 * Heartbeats don't make sense during handshakes anyway.
210 */
211 if (s->tlsext_hb_pending)
212 {
213 s->tlsext_hb_pending = 0;
214 s->tlsext_hb_seq++;
215 }
216#endif
217
203 for (;;) 218 for (;;)
204 { 219 {
205 state=s->state; 220 state=s->state;
@@ -207,7 +222,7 @@ int ssl3_connect(SSL *s)
207 switch(s->state) 222 switch(s->state)
208 { 223 {
209 case SSL_ST_RENEGOTIATE: 224 case SSL_ST_RENEGOTIATE:
210 s->new_session=1; 225 s->renegotiate=1;
211 s->state=SSL_ST_CONNECT; 226 s->state=SSL_ST_CONNECT;
212 s->ctx->stats.sess_connect_renegotiate++; 227 s->ctx->stats.sess_connect_renegotiate++;
213 /* break */ 228 /* break */
@@ -280,7 +295,16 @@ int ssl3_connect(SSL *s)
280 if (ret <= 0) goto end; 295 if (ret <= 0) goto end;
281 296
282 if (s->hit) 297 if (s->hit)
298 {
283 s->state=SSL3_ST_CR_FINISHED_A; 299 s->state=SSL3_ST_CR_FINISHED_A;
300#ifndef OPENSSL_NO_TLSEXT
301 if (s->tlsext_ticket_expected)
302 {
303 /* receive renewed session ticket */
304 s->state=SSL3_ST_CR_SESSION_TICKET_A;
305 }
306#endif
307 }
284 else 308 else
285 s->state=SSL3_ST_CR_CERT_A; 309 s->state=SSL3_ST_CR_CERT_A;
286 s->init_num=0; 310 s->init_num=0;
@@ -358,6 +382,17 @@ int ssl3_connect(SSL *s)
358 case SSL3_ST_CR_SRVR_DONE_B: 382 case SSL3_ST_CR_SRVR_DONE_B:
359 ret=ssl3_get_server_done(s); 383 ret=ssl3_get_server_done(s);
360 if (ret <= 0) goto end; 384 if (ret <= 0) goto end;
385#ifndef OPENSSL_NO_SRP
386 if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP)
387 {
388 if ((ret = SRP_Calc_A_param(s))<=0)
389 {
390 SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
391 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
392 goto end;
393 }
394 }
395#endif
361 if (s->s3->tmp.cert_req) 396 if (s->s3->tmp.cert_req)
362 s->state=SSL3_ST_CW_CERT_A; 397 s->state=SSL3_ST_CW_CERT_A;
363 else 398 else
@@ -423,7 +458,16 @@ int ssl3_connect(SSL *s)
423 ret=ssl3_send_change_cipher_spec(s, 458 ret=ssl3_send_change_cipher_spec(s,
424 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
425 if (ret <= 0) goto end; 460 if (ret <= 0) goto end;
461
462
463#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
426 s->state=SSL3_ST_CW_FINISHED_A; 464 s->state=SSL3_ST_CW_FINISHED_A;
465#else
466 if (s->s3->next_proto_neg_seen)
467 s->state=SSL3_ST_CW_NEXT_PROTO_A;
468 else
469 s->state=SSL3_ST_CW_FINISHED_A;
470#endif
427 s->init_num=0; 471 s->init_num=0;
428 472
429 s->session->cipher=s->s3->tmp.new_cipher; 473 s->session->cipher=s->s3->tmp.new_cipher;
@@ -451,6 +495,15 @@ int ssl3_connect(SSL *s)
451 495
452 break; 496 break;
453 497
498#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
499 case SSL3_ST_CW_NEXT_PROTO_A:
500 case SSL3_ST_CW_NEXT_PROTO_B:
501 ret=ssl3_send_next_proto(s);
502 if (ret <= 0) goto end;
503 s->state=SSL3_ST_CW_FINISHED_A;
504 break;
505#endif
506
454 case SSL3_ST_CW_FINISHED_A: 507 case SSL3_ST_CW_FINISHED_A:
455 case SSL3_ST_CW_FINISHED_B: 508 case SSL3_ST_CW_FINISHED_B:
456 ret=ssl3_send_finished(s, 509 ret=ssl3_send_finished(s,
@@ -546,6 +599,7 @@ int ssl3_connect(SSL *s)
546 /* else do it later in ssl3_write */ 599 /* else do it later in ssl3_write */
547 600
548 s->init_num=0; 601 s->init_num=0;
602 s->renegotiate=0;
549 s->new_session=0; 603 s->new_session=0;
550 604
551 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 605 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
@@ -635,9 +689,43 @@ int ssl3_client_hello(SSL *s)
635 /* Do the message type and length last */ 689 /* Do the message type and length last */
636 d=p= &(buf[4]); 690 d=p= &(buf[4]);
637 691
692 /* version indicates the negotiated version: for example from
693 * an SSLv2/v3 compatible client hello). The client_version
694 * field is the maximum version we permit and it is also
695 * used in RSA encrypted premaster secrets. Some servers can
696 * choke if we initially report a higher version then
697 * renegotiate to a lower one in the premaster secret. This
698 * didn't happen with TLS 1.0 as most servers supported it
699 * but it can with TLS 1.1 or later if the server only supports
700 * 1.0.
701 *
702 * Possible scenario with previous logic:
703 * 1. Client hello indicates TLS 1.2
704 * 2. Server hello says TLS 1.0
705 * 3. RSA encrypted premaster secret uses 1.2.
706 * 4. Handhaked proceeds using TLS 1.0.
707 * 5. Server sends hello request to renegotiate.
708 * 6. Client hello indicates TLS v1.0 as we now
709 * know that is maximum server supports.
710 * 7. Server chokes on RSA encrypted premaster secret
711 * containing version 1.0.
712 *
713 * For interoperability it should be OK to always use the
714 * maximum version we support in client hello and then rely
715 * on the checking of version to ensure the servers isn't
716 * being inconsistent: for example initially negotiating with
717 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
718 * client_version in client hello and not resetting it to
719 * the negotiated version.
720 */
721#if 0
638 *(p++)=s->version>>8; 722 *(p++)=s->version>>8;
639 *(p++)=s->version&0xff; 723 *(p++)=s->version&0xff;
640 s->client_version=s->version; 724 s->client_version=s->version;
725#else
726 *(p++)=s->client_version>>8;
727 *(p++)=s->client_version&0xff;
728#endif
641 729
642 /* Random stuff */ 730 /* Random stuff */
643 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 731 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
@@ -667,6 +755,15 @@ int ssl3_client_hello(SSL *s)
667 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 755 SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
668 goto err; 756 goto err;
669 } 757 }
758#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
759 /* Some servers hang if client hello > 256 bytes
760 * as hack workaround chop number of supported ciphers
761 * to keep it well below this if we use TLS v1.2
762 */
763 if (TLS1_get_version(s) >= TLS1_2_VERSION
764 && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
765 i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
766#endif
670 s2n(i,p); 767 s2n(i,p);
671 p+=i; 768 p+=i;
672 769
@@ -847,6 +944,14 @@ int ssl3_get_server_hello(SSL *s)
847 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED); 944 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNKNOWN_CIPHER_RETURNED);
848 goto f_err; 945 goto f_err;
849 } 946 }
947 /* TLS v1.2 only ciphersuites require v1.2 or later */
948 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
949 (TLS1_get_version(s) < TLS1_2_VERSION))
950 {
951 al=SSL_AD_ILLEGAL_PARAMETER;
952 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
953 goto f_err;
954 }
850 p+=ssl_put_cipher_by_char(s,NULL,NULL); 955 p+=ssl_put_cipher_by_char(s,NULL,NULL);
851 956
852 sk=ssl_get_ciphers_by_id(s); 957 sk=ssl_get_ciphers_by_id(s);
@@ -878,9 +983,11 @@ int ssl3_get_server_hello(SSL *s)
878 } 983 }
879 } 984 }
880 s->s3->tmp.new_cipher=c; 985 s->s3->tmp.new_cipher=c;
881 if (!ssl3_digest_cached_records(s)) 986 /* Don't digest cached records if TLS v1.2: we may need them for
987 * client authentication.
988 */
989 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
882 goto f_err; 990 goto f_err;
883
884 /* lets get the compression algorithm */ 991 /* lets get the compression algorithm */
885 /* COMPRESSION */ 992 /* COMPRESSION */
886#ifdef OPENSSL_NO_COMP 993#ifdef OPENSSL_NO_COMP
@@ -1159,6 +1266,7 @@ int ssl3_get_key_exchange(SSL *s)
1159 int al,i,j,param_len,ok; 1266 int al,i,j,param_len,ok;
1160 long n,alg_k,alg_a; 1267 long n,alg_k,alg_a;
1161 EVP_PKEY *pkey=NULL; 1268 EVP_PKEY *pkey=NULL;
1269 const EVP_MD *md = NULL;
1162#ifndef OPENSSL_NO_RSA 1270#ifndef OPENSSL_NO_RSA
1163 RSA *rsa=NULL; 1271 RSA *rsa=NULL;
1164#endif 1272#endif
@@ -1282,6 +1390,86 @@ int ssl3_get_key_exchange(SSL *s)
1282 } 1390 }
1283 else 1391 else
1284#endif /* !OPENSSL_NO_PSK */ 1392#endif /* !OPENSSL_NO_PSK */
1393#ifndef OPENSSL_NO_SRP
1394 if (alg_k & SSL_kSRP)
1395 {
1396 n2s(p,i);
1397 param_len=i+2;
1398 if (param_len > n)
1399 {
1400 al=SSL_AD_DECODE_ERROR;
1401 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_N_LENGTH);
1402 goto f_err;
1403 }
1404 if (!(s->srp_ctx.N=BN_bin2bn(p,i,NULL)))
1405 {
1406 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1407 goto err;
1408 }
1409 p+=i;
1410
1411 n2s(p,i);
1412 param_len+=i+2;
1413 if (param_len > n)
1414 {
1415 al=SSL_AD_DECODE_ERROR;
1416 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_G_LENGTH);
1417 goto f_err;
1418 }
1419 if (!(s->srp_ctx.g=BN_bin2bn(p,i,NULL)))
1420 {
1421 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1422 goto err;
1423 }
1424 p+=i;
1425
1426 i = (unsigned int)(p[0]);
1427 p++;
1428 param_len+=i+1;
1429 if (param_len > n)
1430 {
1431 al=SSL_AD_DECODE_ERROR;
1432 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_S_LENGTH);
1433 goto f_err;
1434 }
1435 if (!(s->srp_ctx.s=BN_bin2bn(p,i,NULL)))
1436 {
1437 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1438 goto err;
1439 }
1440 p+=i;
1441
1442 n2s(p,i);
1443 param_len+=i+2;
1444 if (param_len > n)
1445 {
1446 al=SSL_AD_DECODE_ERROR;
1447 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_B_LENGTH);
1448 goto f_err;
1449 }
1450 if (!(s->srp_ctx.B=BN_bin2bn(p,i,NULL)))
1451 {
1452 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_BN_LIB);
1453 goto err;
1454 }
1455 p+=i;
1456 n-=param_len;
1457
1458/* We must check if there is a certificate */
1459#ifndef OPENSSL_NO_RSA
1460 if (alg_a & SSL_aRSA)
1461 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
1462#else
1463 if (0)
1464 ;
1465#endif
1466#ifndef OPENSSL_NO_DSA
1467 else if (alg_a & SSL_aDSS)
1468 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
1469#endif
1470 }
1471 else
1472#endif /* !OPENSSL_NO_SRP */
1285#ifndef OPENSSL_NO_RSA 1473#ifndef OPENSSL_NO_RSA
1286 if (alg_k & SSL_kRSA) 1474 if (alg_k & SSL_kRSA)
1287 { 1475 {
@@ -1529,6 +1717,38 @@ int ssl3_get_key_exchange(SSL *s)
1529 /* if it was signed, check the signature */ 1717 /* if it was signed, check the signature */
1530 if (pkey != NULL) 1718 if (pkey != NULL)
1531 { 1719 {
1720 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1721 {
1722 int sigalg = tls12_get_sigid(pkey);
1723 /* Should never happen */
1724 if (sigalg == -1)
1725 {
1726 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1727 goto err;
1728 }
1729 /* Check key type is consistent with signature */
1730 if (sigalg != (int)p[1])
1731 {
1732 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_TYPE);
1733 al=SSL_AD_DECODE_ERROR;
1734 goto f_err;
1735 }
1736 md = tls12_get_hash(p[0]);
1737 if (md == NULL)
1738 {
1739 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNKNOWN_DIGEST);
1740 al=SSL_AD_DECODE_ERROR;
1741 goto f_err;
1742 }
1743#ifdef SSL_DEBUG
1744fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
1745#endif
1746 p += 2;
1747 n -= 2;
1748 }
1749 else
1750 md = EVP_sha1();
1751
1532 n2s(p,i); 1752 n2s(p,i);
1533 n-=2; 1753 n-=2;
1534 j=EVP_PKEY_size(pkey); 1754 j=EVP_PKEY_size(pkey);
@@ -1542,7 +1762,7 @@ int ssl3_get_key_exchange(SSL *s)
1542 } 1762 }
1543 1763
1544#ifndef OPENSSL_NO_RSA 1764#ifndef OPENSSL_NO_RSA
1545 if (pkey->type == EVP_PKEY_RSA) 1765 if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
1546 { 1766 {
1547 int num; 1767 int num;
1548 1768
@@ -1550,6 +1770,8 @@ int ssl3_get_key_exchange(SSL *s)
1550 q=md_buf; 1770 q=md_buf;
1551 for (num=2; num > 0; num--) 1771 for (num=2; num > 0; num--)
1552 { 1772 {
1773 EVP_MD_CTX_set_flags(&md_ctx,
1774 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1553 EVP_DigestInit_ex(&md_ctx,(num == 2) 1775 EVP_DigestInit_ex(&md_ctx,(num == 2)
1554 ?s->ctx->md5:s->ctx->sha1, NULL); 1776 ?s->ctx->md5:s->ctx->sha1, NULL);
1555 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1777 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1577,29 +1799,8 @@ int ssl3_get_key_exchange(SSL *s)
1577 } 1799 }
1578 else 1800 else
1579#endif 1801#endif
1580#ifndef OPENSSL_NO_DSA
1581 if (pkey->type == EVP_PKEY_DSA)
1582 {
1583 /* lets do DSS */
1584 EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
1585 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1586 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1587 EVP_VerifyUpdate(&md_ctx,param,param_len);
1588 if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
1589 {
1590 /* bad signature */
1591 al=SSL_AD_DECRYPT_ERROR;
1592 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SIGNATURE);
1593 goto f_err;
1594 }
1595 }
1596 else
1597#endif
1598#ifndef OPENSSL_NO_ECDSA
1599 if (pkey->type == EVP_PKEY_EC)
1600 { 1802 {
1601 /* let's do ECDSA */ 1803 EVP_VerifyInit_ex(&md_ctx, md, NULL);
1602 EVP_VerifyInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1603 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1804 EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1604 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1805 EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1605 EVP_VerifyUpdate(&md_ctx,param,param_len); 1806 EVP_VerifyUpdate(&md_ctx,param,param_len);
@@ -1611,12 +1812,6 @@ int ssl3_get_key_exchange(SSL *s)
1611 goto f_err; 1812 goto f_err;
1612 } 1813 }
1613 } 1814 }
1614 else
1615#endif
1616 {
1617 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1618 goto err;
1619 }
1620 } 1815 }
1621 else 1816 else
1622 { 1817 {
@@ -1663,7 +1858,7 @@ int ssl3_get_certificate_request(SSL *s)
1663 { 1858 {
1664 int ok,ret=0; 1859 int ok,ret=0;
1665 unsigned long n,nc,l; 1860 unsigned long n,nc,l;
1666 unsigned int llen,ctype_num,i; 1861 unsigned int llen, ctype_num,i;
1667 X509_NAME *xn=NULL; 1862 X509_NAME *xn=NULL;
1668 const unsigned char *p,*q; 1863 const unsigned char *p,*q;
1669 unsigned char *d; 1864 unsigned char *d;
@@ -1683,6 +1878,14 @@ int ssl3_get_certificate_request(SSL *s)
1683 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE) 1878 if (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)
1684 { 1879 {
1685 s->s3->tmp.reuse_message=1; 1880 s->s3->tmp.reuse_message=1;
1881 /* If we get here we don't need any cached handshake records
1882 * as we wont be doing client auth.
1883 */
1884 if (s->s3->handshake_buffer)
1885 {
1886 if (!ssl3_digest_cached_records(s))
1887 goto err;
1888 }
1686 return(1); 1889 return(1);
1687 } 1890 }
1688 1891
@@ -1719,6 +1922,26 @@ int ssl3_get_certificate_request(SSL *s)
1719 for (i=0; i<ctype_num; i++) 1922 for (i=0; i<ctype_num; i++)
1720 s->s3->tmp.ctype[i]= p[i]; 1923 s->s3->tmp.ctype[i]= p[i];
1721 p+=ctype_num; 1924 p+=ctype_num;
1925 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1926 {
1927 n2s(p, llen);
1928 /* Check we have enough room for signature algorithms and
1929 * following length value.
1930 */
1931 if ((unsigned long)(p - d + llen + 2) > n)
1932 {
1933 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1934 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_DATA_LENGTH_TOO_LONG);
1935 goto err;
1936 }
1937 if ((llen & 1) || !tls1_process_sigalgs(s, p, llen))
1938 {
1939 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1940 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1941 goto err;
1942 }
1943 p += llen;
1944 }
1722 1945
1723 /* get the CA RDNs */ 1946 /* get the CA RDNs */
1724 n2s(p,llen); 1947 n2s(p,llen);
@@ -1731,7 +1954,7 @@ fclose(out);
1731} 1954}
1732#endif 1955#endif
1733 1956
1734 if ((llen+ctype_num+2+1) != n) 1957 if ((unsigned long)(p - d + llen) != n)
1735 { 1958 {
1736 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); 1959 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
1737 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH); 1960 SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_LENGTH_MISMATCH);
@@ -2553,6 +2776,39 @@ int ssl3_send_client_key_exchange(SSL *s)
2553 EVP_PKEY_free(pub_key); 2776 EVP_PKEY_free(pub_key);
2554 2777
2555 } 2778 }
2779#ifndef OPENSSL_NO_SRP
2780 else if (alg_k & SSL_kSRP)
2781 {
2782 if (s->srp_ctx.A != NULL)
2783 {
2784 /* send off the data */
2785 n=BN_num_bytes(s->srp_ctx.A);
2786 s2n(n,p);
2787 BN_bn2bin(s->srp_ctx.A,p);
2788 n+=2;
2789 }
2790 else
2791 {
2792 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2793 goto err;
2794 }
2795 if (s->session->srp_username != NULL)
2796 OPENSSL_free(s->session->srp_username);
2797 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2798 if (s->session->srp_username == NULL)
2799 {
2800 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2801 ERR_R_MALLOC_FAILURE);
2802 goto err;
2803 }
2804
2805 if ((s->session->master_key_length = SRP_generate_client_master_secret(s,s->session->master_key))<0)
2806 {
2807 SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2808 goto err;
2809 }
2810 }
2811#endif
2556#ifndef OPENSSL_NO_PSK 2812#ifndef OPENSSL_NO_PSK
2557 else if (alg_k & SSL_kPSK) 2813 else if (alg_k & SSL_kPSK)
2558 { 2814 {
@@ -2672,12 +2928,13 @@ int ssl3_send_client_verify(SSL *s)
2672 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 2928 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
2673 EVP_PKEY *pkey; 2929 EVP_PKEY *pkey;
2674 EVP_PKEY_CTX *pctx=NULL; 2930 EVP_PKEY_CTX *pctx=NULL;
2675#ifndef OPENSSL_NO_RSA 2931 EVP_MD_CTX mctx;
2676 unsigned u=0; 2932 unsigned u=0;
2677#endif
2678 unsigned long n; 2933 unsigned long n;
2679 int j; 2934 int j;
2680 2935
2936 EVP_MD_CTX_init(&mctx);
2937
2681 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 2938 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
2682 { 2939 {
2683 d=(unsigned char *)s->init_buf->data; 2940 d=(unsigned char *)s->init_buf->data;
@@ -2688,7 +2945,8 @@ int ssl3_send_client_verify(SSL *s)
2688 EVP_PKEY_sign_init(pctx); 2945 EVP_PKEY_sign_init(pctx);
2689 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0) 2946 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
2690 { 2947 {
2691 s->method->ssl3_enc->cert_verify_mac(s, 2948 if (TLS1_get_version(s) < TLS1_2_VERSION)
2949 s->method->ssl3_enc->cert_verify_mac(s,
2692 NID_sha1, 2950 NID_sha1,
2693 &(data[MD5_DIGEST_LENGTH])); 2951 &(data[MD5_DIGEST_LENGTH]));
2694 } 2952 }
@@ -2696,6 +2954,41 @@ int ssl3_send_client_verify(SSL *s)
2696 { 2954 {
2697 ERR_clear_error(); 2955 ERR_clear_error();
2698 } 2956 }
2957 /* For TLS v1.2 send signature algorithm and signature
2958 * using agreed digest and cached handshake records.
2959 */
2960 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2961 {
2962 long hdatalen = 0;
2963 void *hdata;
2964 const EVP_MD *md = s->cert->key->digest;
2965 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,
2966 &hdata);
2967 if (hdatalen <= 0 || !tls12_get_sigandhash(p, pkey, md))
2968 {
2969 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2970 ERR_R_INTERNAL_ERROR);
2971 goto err;
2972 }
2973 p += 2;
2974#ifdef SSL_DEBUG
2975 fprintf(stderr, "Using TLS 1.2 with client alg %s\n",
2976 EVP_MD_name(md));
2977#endif
2978 if (!EVP_SignInit_ex(&mctx, md, NULL)
2979 || !EVP_SignUpdate(&mctx, hdata, hdatalen)
2980 || !EVP_SignFinal(&mctx, p + 2, &u, pkey))
2981 {
2982 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,
2983 ERR_R_EVP_LIB);
2984 goto err;
2985 }
2986 s2n(u,p);
2987 n = u + 4;
2988 if (!ssl3_digest_cached_records(s))
2989 goto err;
2990 }
2991 else
2699#ifndef OPENSSL_NO_RSA 2992#ifndef OPENSSL_NO_RSA
2700 if (pkey->type == EVP_PKEY_RSA) 2993 if (pkey->type == EVP_PKEY_RSA)
2701 { 2994 {
@@ -2778,9 +3071,11 @@ int ssl3_send_client_verify(SSL *s)
2778 s->init_num=(int)n+4; 3071 s->init_num=(int)n+4;
2779 s->init_off=0; 3072 s->init_off=0;
2780 } 3073 }
3074 EVP_MD_CTX_cleanup(&mctx);
2781 EVP_PKEY_CTX_free(pctx); 3075 EVP_PKEY_CTX_free(pctx);
2782 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3076 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
2783err: 3077err:
3078 EVP_MD_CTX_cleanup(&mctx);
2784 EVP_PKEY_CTX_free(pctx); 3079 EVP_PKEY_CTX_free(pctx);
2785 return(-1); 3080 return(-1);
2786 } 3081 }
@@ -2904,7 +3199,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
2904 if (idx == SSL_PKEY_ECC) 3199 if (idx == SSL_PKEY_ECC)
2905 { 3200 {
2906 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509, 3201 if (ssl_check_srvr_ecc_cert_and_alg(sc->peer_pkeys[idx].x509,
2907 s->s3->tmp.new_cipher) == 0) 3202 s) == 0)
2908 { /* check failed */ 3203 { /* check failed */
2909 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT); 3204 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
2910 goto f_err; 3205 goto f_err;
@@ -3000,6 +3295,32 @@ err:
3000 return(0); 3295 return(0);
3001 } 3296 }
3002 3297
3298#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3299int ssl3_send_next_proto(SSL *s)
3300 {
3301 unsigned int len, padding_len;
3302 unsigned char *d;
3303
3304 if (s->state == SSL3_ST_CW_NEXT_PROTO_A)
3305 {
3306 len = s->next_proto_negotiated_len;
3307 padding_len = 32 - ((len + 2) % 32);
3308 d = (unsigned char *)s->init_buf->data;
3309 d[4] = len;
3310 memcpy(d + 5, s->next_proto_negotiated, len);
3311 d[5 + len] = padding_len;
3312 memset(d + 6 + len, 0, padding_len);
3313 *(d++)=SSL3_MT_NEXT_PROTO;
3314 l2n3(2 + len + padding_len, d);
3315 s->state = SSL3_ST_CW_NEXT_PROTO_B;
3316 s->init_num = 4 + 2 + len + padding_len;
3317 s->init_off = 0;
3318 }
3319
3320 return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
3321}
3322#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
3323
3003/* Check to see if handshake is full or resumed. Usually this is just a 3324/* Check to see if handshake is full or resumed. Usually this is just a
3004 * case of checking to see if a cache hit has occurred. In the case of 3325 * case of checking to see if a cache hit has occurred. In the case of
3005 * session tickets we have to check the next message to be sure. 3326 * session tickets we have to check the next message to be sure.
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 1130244aeb..fb60cde8ee 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1071,6 +1071,103 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1071 256, 1071 256,
1072 }, 1072 },
1073 1073
1074 /* TLS v1.2 ciphersuites */
1075 /* Cipher 3B */
1076 {
1077 1,
1078 TLS1_TXT_RSA_WITH_NULL_SHA256,
1079 TLS1_CK_RSA_WITH_NULL_SHA256,
1080 SSL_kRSA,
1081 SSL_aRSA,
1082 SSL_eNULL,
1083 SSL_SHA256,
1084 SSL_TLSV1_2,
1085 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1086 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1087 0,
1088 0,
1089 },
1090
1091 /* Cipher 3C */
1092 {
1093 1,
1094 TLS1_TXT_RSA_WITH_AES_128_SHA256,
1095 TLS1_CK_RSA_WITH_AES_128_SHA256,
1096 SSL_kRSA,
1097 SSL_aRSA,
1098 SSL_AES128,
1099 SSL_SHA256,
1100 SSL_TLSV1_2,
1101 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1102 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1103 128,
1104 128,
1105 },
1106
1107 /* Cipher 3D */
1108 {
1109 1,
1110 TLS1_TXT_RSA_WITH_AES_256_SHA256,
1111 TLS1_CK_RSA_WITH_AES_256_SHA256,
1112 SSL_kRSA,
1113 SSL_aRSA,
1114 SSL_AES256,
1115 SSL_SHA256,
1116 SSL_TLSV1_2,
1117 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1118 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1119 256,
1120 256,
1121 },
1122
1123 /* Cipher 3E */
1124 {
1125 0, /* not implemented (non-ephemeral DH) */
1126 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
1127 TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
1128 SSL_kDHr,
1129 SSL_aDH,
1130 SSL_AES128,
1131 SSL_SHA256,
1132 SSL_TLSV1_2,
1133 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1134 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1135 128,
1136 128,
1137 },
1138
1139 /* Cipher 3F */
1140 {
1141 0, /* not implemented (non-ephemeral DH) */
1142 TLS1_TXT_DH_RSA_WITH_AES_128_SHA256,
1143 TLS1_CK_DH_RSA_WITH_AES_128_SHA256,
1144 SSL_kDHr,
1145 SSL_aDH,
1146 SSL_AES128,
1147 SSL_SHA256,
1148 SSL_TLSV1_2,
1149 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1150 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1151 128,
1152 128,
1153 },
1154
1155 /* Cipher 40 */
1156 {
1157 1,
1158 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
1159 TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
1160 SSL_kEDH,
1161 SSL_aDSS,
1162 SSL_AES128,
1163 SSL_SHA256,
1164 SSL_TLSV1_2,
1165 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1166 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1167 128,
1168 128,
1169 },
1170
1074#ifndef OPENSSL_NO_CAMELLIA 1171#ifndef OPENSSL_NO_CAMELLIA
1075 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 1172 /* Camellia ciphersuites from RFC4132 (128-bit portion) */
1076 1173
@@ -1287,6 +1384,122 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1287 128, 1384 128,
1288 }, 1385 },
1289#endif 1386#endif
1387
1388 /* TLS v1.2 ciphersuites */
1389 /* Cipher 67 */
1390 {
1391 1,
1392 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
1393 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
1394 SSL_kEDH,
1395 SSL_aRSA,
1396 SSL_AES128,
1397 SSL_SHA256,
1398 SSL_TLSV1_2,
1399 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1400 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1401 128,
1402 128,
1403 },
1404
1405 /* Cipher 68 */
1406 {
1407 0, /* not implemented (non-ephemeral DH) */
1408 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
1409 TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
1410 SSL_kDHr,
1411 SSL_aDH,
1412 SSL_AES256,
1413 SSL_SHA256,
1414 SSL_TLSV1_2,
1415 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1416 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1417 256,
1418 256,
1419 },
1420
1421 /* Cipher 69 */
1422 {
1423 0, /* not implemented (non-ephemeral DH) */
1424 TLS1_TXT_DH_RSA_WITH_AES_256_SHA256,
1425 TLS1_CK_DH_RSA_WITH_AES_256_SHA256,
1426 SSL_kDHr,
1427 SSL_aDH,
1428 SSL_AES256,
1429 SSL_SHA256,
1430 SSL_TLSV1_2,
1431 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1432 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1433 256,
1434 256,
1435 },
1436
1437 /* Cipher 6A */
1438 {
1439 1,
1440 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
1441 TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
1442 SSL_kEDH,
1443 SSL_aDSS,
1444 SSL_AES256,
1445 SSL_SHA256,
1446 SSL_TLSV1_2,
1447 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1448 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1449 256,
1450 256,
1451 },
1452
1453 /* Cipher 6B */
1454 {
1455 1,
1456 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
1457 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
1458 SSL_kEDH,
1459 SSL_aRSA,
1460 SSL_AES256,
1461 SSL_SHA256,
1462 SSL_TLSV1_2,
1463 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1464 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1465 256,
1466 256,
1467 },
1468
1469 /* Cipher 6C */
1470 {
1471 1,
1472 TLS1_TXT_ADH_WITH_AES_128_SHA256,
1473 TLS1_CK_ADH_WITH_AES_128_SHA256,
1474 SSL_kEDH,
1475 SSL_aNULL,
1476 SSL_AES128,
1477 SSL_SHA256,
1478 SSL_TLSV1_2,
1479 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1480 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1481 128,
1482 128,
1483 },
1484
1485 /* Cipher 6D */
1486 {
1487 1,
1488 TLS1_TXT_ADH_WITH_AES_256_SHA256,
1489 TLS1_CK_ADH_WITH_AES_256_SHA256,
1490 SSL_kEDH,
1491 SSL_aNULL,
1492 SSL_AES256,
1493 SSL_SHA256,
1494 SSL_TLSV1_2,
1495 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1496 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1497 256,
1498 256,
1499 },
1500
1501 /* GOST Ciphersuites */
1502
1290 { 1503 {
1291 1, 1504 1,
1292 "GOST94-GOST89-GOST89", 1505 "GOST94-GOST89-GOST89",
@@ -1610,6 +1823,200 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1610 1823
1611#endif /* OPENSSL_NO_SEED */ 1824#endif /* OPENSSL_NO_SEED */
1612 1825
1826 /* GCM ciphersuites from RFC5288 */
1827
1828 /* Cipher 9C */
1829 {
1830 1,
1831 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
1832 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
1833 SSL_kRSA,
1834 SSL_aRSA,
1835 SSL_AES128GCM,
1836 SSL_AEAD,
1837 SSL_TLSV1_2,
1838 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1839 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1840 128,
1841 128,
1842 },
1843
1844 /* Cipher 9D */
1845 {
1846 1,
1847 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
1848 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
1849 SSL_kRSA,
1850 SSL_aRSA,
1851 SSL_AES256GCM,
1852 SSL_AEAD,
1853 SSL_TLSV1_2,
1854 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1855 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1856 256,
1857 256,
1858 },
1859
1860 /* Cipher 9E */
1861 {
1862 1,
1863 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
1864 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
1865 SSL_kEDH,
1866 SSL_aRSA,
1867 SSL_AES128GCM,
1868 SSL_AEAD,
1869 SSL_TLSV1_2,
1870 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1871 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1872 128,
1873 128,
1874 },
1875
1876 /* Cipher 9F */
1877 {
1878 1,
1879 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
1880 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
1881 SSL_kEDH,
1882 SSL_aRSA,
1883 SSL_AES256GCM,
1884 SSL_AEAD,
1885 SSL_TLSV1_2,
1886 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1887 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1888 256,
1889 256,
1890 },
1891
1892 /* Cipher A0 */
1893 {
1894 0,
1895 TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256,
1896 TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256,
1897 SSL_kDHr,
1898 SSL_aDH,
1899 SSL_AES128GCM,
1900 SSL_AEAD,
1901 SSL_TLSV1_2,
1902 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1903 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1904 128,
1905 128,
1906 },
1907
1908 /* Cipher A1 */
1909 {
1910 0,
1911 TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384,
1912 TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384,
1913 SSL_kDHr,
1914 SSL_aDH,
1915 SSL_AES256GCM,
1916 SSL_AEAD,
1917 SSL_TLSV1_2,
1918 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1919 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1920 256,
1921 256,
1922 },
1923
1924 /* Cipher A2 */
1925 {
1926 1,
1927 TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
1928 TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
1929 SSL_kEDH,
1930 SSL_aDSS,
1931 SSL_AES128GCM,
1932 SSL_AEAD,
1933 SSL_TLSV1_2,
1934 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1935 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1936 128,
1937 128,
1938 },
1939
1940 /* Cipher A3 */
1941 {
1942 1,
1943 TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
1944 TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
1945 SSL_kEDH,
1946 SSL_aDSS,
1947 SSL_AES256GCM,
1948 SSL_AEAD,
1949 SSL_TLSV1_2,
1950 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1951 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1952 256,
1953 256,
1954 },
1955
1956 /* Cipher A4 */
1957 {
1958 0,
1959 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
1960 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
1961 SSL_kDHr,
1962 SSL_aDH,
1963 SSL_AES128GCM,
1964 SSL_AEAD,
1965 SSL_TLSV1_2,
1966 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1967 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
1968 128,
1969 128,
1970 },
1971
1972 /* Cipher A5 */
1973 {
1974 0,
1975 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
1976 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
1977 SSL_kDHr,
1978 SSL_aDH,
1979 SSL_AES256GCM,
1980 SSL_AEAD,
1981 SSL_TLSV1_2,
1982 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1983 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
1984 256,
1985 256,
1986 },
1987
1988 /* Cipher A6 */
1989 {
1990 1,
1991 TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
1992 TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
1993 SSL_kEDH,
1994 SSL_aNULL,
1995 SSL_AES128GCM,
1996 SSL_AEAD,
1997 SSL_TLSV1_2,
1998 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1999 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2000 128,
2001 128,
2002 },
2003
2004 /* Cipher A7 */
2005 {
2006 1,
2007 TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
2008 TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
2009 SSL_kEDH,
2010 SSL_aNULL,
2011 SSL_AES256GCM,
2012 SSL_AEAD,
2013 SSL_TLSV1_2,
2014 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2015 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2016 256,
2017 256,
2018 },
2019
1613#ifndef OPENSSL_NO_ECDH 2020#ifndef OPENSSL_NO_ECDH
1614 /* Cipher C001 */ 2021 /* Cipher C001 */
1615 { 2022 {
@@ -1621,7 +2028,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1621 SSL_eNULL, 2028 SSL_eNULL,
1622 SSL_SHA1, 2029 SSL_SHA1,
1623 SSL_TLSV1, 2030 SSL_TLSV1,
1624 SSL_NOT_EXP|SSL_STRONG_NONE, 2031 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1625 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2032 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1626 0, 2033 0,
1627 0, 2034 0,
@@ -1653,7 +2060,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1653 SSL_3DES, 2060 SSL_3DES,
1654 SSL_SHA1, 2061 SSL_SHA1,
1655 SSL_TLSV1, 2062 SSL_TLSV1,
1656 SSL_NOT_EXP|SSL_HIGH, 2063 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1657 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2064 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1658 168, 2065 168,
1659 168, 2066 168,
@@ -1669,7 +2076,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1669 SSL_AES128, 2076 SSL_AES128,
1670 SSL_SHA1, 2077 SSL_SHA1,
1671 SSL_TLSV1, 2078 SSL_TLSV1,
1672 SSL_NOT_EXP|SSL_HIGH, 2079 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1673 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2080 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1674 128, 2081 128,
1675 128, 2082 128,
@@ -1685,7 +2092,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1685 SSL_AES256, 2092 SSL_AES256,
1686 SSL_SHA1, 2093 SSL_SHA1,
1687 SSL_TLSV1, 2094 SSL_TLSV1,
1688 SSL_NOT_EXP|SSL_HIGH, 2095 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1689 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2096 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1690 256, 2097 256,
1691 256, 2098 256,
@@ -1701,7 +2108,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1701 SSL_eNULL, 2108 SSL_eNULL,
1702 SSL_SHA1, 2109 SSL_SHA1,
1703 SSL_TLSV1, 2110 SSL_TLSV1,
1704 SSL_NOT_EXP|SSL_STRONG_NONE, 2111 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1705 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2112 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1706 0, 2113 0,
1707 0, 2114 0,
@@ -1733,7 +2140,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1733 SSL_3DES, 2140 SSL_3DES,
1734 SSL_SHA1, 2141 SSL_SHA1,
1735 SSL_TLSV1, 2142 SSL_TLSV1,
1736 SSL_NOT_EXP|SSL_HIGH, 2143 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1737 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2144 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1738 168, 2145 168,
1739 168, 2146 168,
@@ -1749,7 +2156,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1749 SSL_AES128, 2156 SSL_AES128,
1750 SSL_SHA1, 2157 SSL_SHA1,
1751 SSL_TLSV1, 2158 SSL_TLSV1,
1752 SSL_NOT_EXP|SSL_HIGH, 2159 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1753 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2160 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1754 128, 2161 128,
1755 128, 2162 128,
@@ -1765,7 +2172,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1765 SSL_AES256, 2172 SSL_AES256,
1766 SSL_SHA1, 2173 SSL_SHA1,
1767 SSL_TLSV1, 2174 SSL_TLSV1,
1768 SSL_NOT_EXP|SSL_HIGH, 2175 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1769 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2176 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1770 256, 2177 256,
1771 256, 2178 256,
@@ -1781,7 +2188,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1781 SSL_eNULL, 2188 SSL_eNULL,
1782 SSL_SHA1, 2189 SSL_SHA1,
1783 SSL_TLSV1, 2190 SSL_TLSV1,
1784 SSL_NOT_EXP|SSL_STRONG_NONE, 2191 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1785 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2192 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1786 0, 2193 0,
1787 0, 2194 0,
@@ -1813,7 +2220,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1813 SSL_3DES, 2220 SSL_3DES,
1814 SSL_SHA1, 2221 SSL_SHA1,
1815 SSL_TLSV1, 2222 SSL_TLSV1,
1816 SSL_NOT_EXP|SSL_HIGH, 2223 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1817 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2224 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1818 168, 2225 168,
1819 168, 2226 168,
@@ -1829,7 +2236,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1829 SSL_AES128, 2236 SSL_AES128,
1830 SSL_SHA1, 2237 SSL_SHA1,
1831 SSL_TLSV1, 2238 SSL_TLSV1,
1832 SSL_NOT_EXP|SSL_HIGH, 2239 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1833 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2240 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1834 128, 2241 128,
1835 128, 2242 128,
@@ -1845,7 +2252,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1845 SSL_AES256, 2252 SSL_AES256,
1846 SSL_SHA1, 2253 SSL_SHA1,
1847 SSL_TLSV1, 2254 SSL_TLSV1,
1848 SSL_NOT_EXP|SSL_HIGH, 2255 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1849 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2256 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1850 256, 2257 256,
1851 256, 2258 256,
@@ -1861,7 +2268,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1861 SSL_eNULL, 2268 SSL_eNULL,
1862 SSL_SHA1, 2269 SSL_SHA1,
1863 SSL_TLSV1, 2270 SSL_TLSV1,
1864 SSL_NOT_EXP|SSL_STRONG_NONE, 2271 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1865 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2272 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1866 0, 2273 0,
1867 0, 2274 0,
@@ -1893,7 +2300,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1893 SSL_3DES, 2300 SSL_3DES,
1894 SSL_SHA1, 2301 SSL_SHA1,
1895 SSL_TLSV1, 2302 SSL_TLSV1,
1896 SSL_NOT_EXP|SSL_HIGH, 2303 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1897 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2304 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1898 168, 2305 168,
1899 168, 2306 168,
@@ -1909,7 +2316,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1909 SSL_AES128, 2316 SSL_AES128,
1910 SSL_SHA1, 2317 SSL_SHA1,
1911 SSL_TLSV1, 2318 SSL_TLSV1,
1912 SSL_NOT_EXP|SSL_HIGH, 2319 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1913 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2320 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1914 128, 2321 128,
1915 128, 2322 128,
@@ -1925,7 +2332,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1925 SSL_AES256, 2332 SSL_AES256,
1926 SSL_SHA1, 2333 SSL_SHA1,
1927 SSL_TLSV1, 2334 SSL_TLSV1,
1928 SSL_NOT_EXP|SSL_HIGH, 2335 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1929 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2336 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1930 256, 2337 256,
1931 256, 2338 256,
@@ -1941,7 +2348,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1941 SSL_eNULL, 2348 SSL_eNULL,
1942 SSL_SHA1, 2349 SSL_SHA1,
1943 SSL_TLSV1, 2350 SSL_TLSV1,
1944 SSL_NOT_EXP|SSL_STRONG_NONE, 2351 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
1945 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2352 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1946 0, 2353 0,
1947 0, 2354 0,
@@ -1973,7 +2380,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1973 SSL_3DES, 2380 SSL_3DES,
1974 SSL_SHA1, 2381 SSL_SHA1,
1975 SSL_TLSV1, 2382 SSL_TLSV1,
1976 SSL_NOT_EXP|SSL_HIGH, 2383 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1977 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2384 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1978 168, 2385 168,
1979 168, 2386 168,
@@ -1989,7 +2396,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1989 SSL_AES128, 2396 SSL_AES128,
1990 SSL_SHA1, 2397 SSL_SHA1,
1991 SSL_TLSV1, 2398 SSL_TLSV1,
1992 SSL_NOT_EXP|SSL_HIGH, 2399 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1993 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2400 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1994 128, 2401 128,
1995 128, 2402 128,
@@ -2005,13 +2412,423 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2005 SSL_AES256, 2412 SSL_AES256,
2006 SSL_SHA1, 2413 SSL_SHA1,
2007 SSL_TLSV1, 2414 SSL_TLSV1,
2008 SSL_NOT_EXP|SSL_HIGH, 2415 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2009 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 2416 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2010 256, 2417 256,
2011 256, 2418 256,
2012 }, 2419 },
2013#endif /* OPENSSL_NO_ECDH */ 2420#endif /* OPENSSL_NO_ECDH */
2014 2421
2422#ifndef OPENSSL_NO_SRP
2423 /* Cipher C01A */
2424 {
2425 1,
2426 TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2427 TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
2428 SSL_kSRP,
2429 SSL_aNULL,
2430 SSL_3DES,
2431 SSL_SHA1,
2432 SSL_TLSV1,
2433 SSL_NOT_EXP|SSL_HIGH,
2434 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2435 168,
2436 168,
2437 },
2438
2439 /* Cipher C01B */
2440 {
2441 1,
2442 TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2443 TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
2444 SSL_kSRP,
2445 SSL_aRSA,
2446 SSL_3DES,
2447 SSL_SHA1,
2448 SSL_TLSV1,
2449 SSL_NOT_EXP|SSL_HIGH,
2450 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2451 168,
2452 168,
2453 },
2454
2455 /* Cipher C01C */
2456 {
2457 1,
2458 TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2459 TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
2460 SSL_kSRP,
2461 SSL_aDSS,
2462 SSL_3DES,
2463 SSL_SHA1,
2464 SSL_TLSV1,
2465 SSL_NOT_EXP|SSL_HIGH,
2466 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2467 168,
2468 168,
2469 },
2470
2471 /* Cipher C01D */
2472 {
2473 1,
2474 TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
2475 TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
2476 SSL_kSRP,
2477 SSL_aNULL,
2478 SSL_AES128,
2479 SSL_SHA1,
2480 SSL_TLSV1,
2481 SSL_NOT_EXP|SSL_HIGH,
2482 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2483 128,
2484 128,
2485 },
2486
2487 /* Cipher C01E */
2488 {
2489 1,
2490 TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2491 TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
2492 SSL_kSRP,
2493 SSL_aRSA,
2494 SSL_AES128,
2495 SSL_SHA1,
2496 SSL_TLSV1,
2497 SSL_NOT_EXP|SSL_HIGH,
2498 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2499 128,
2500 128,
2501 },
2502
2503 /* Cipher C01F */
2504 {
2505 1,
2506 TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2507 TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
2508 SSL_kSRP,
2509 SSL_aDSS,
2510 SSL_AES128,
2511 SSL_SHA1,
2512 SSL_TLSV1,
2513 SSL_NOT_EXP|SSL_HIGH,
2514 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2515 128,
2516 128,
2517 },
2518
2519 /* Cipher C020 */
2520 {
2521 1,
2522 TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
2523 TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
2524 SSL_kSRP,
2525 SSL_aNULL,
2526 SSL_AES256,
2527 SSL_SHA1,
2528 SSL_TLSV1,
2529 SSL_NOT_EXP|SSL_HIGH,
2530 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2531 256,
2532 256,
2533 },
2534
2535 /* Cipher C021 */
2536 {
2537 1,
2538 TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2539 TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
2540 SSL_kSRP,
2541 SSL_aRSA,
2542 SSL_AES256,
2543 SSL_SHA1,
2544 SSL_TLSV1,
2545 SSL_NOT_EXP|SSL_HIGH,
2546 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2547 256,
2548 256,
2549 },
2550
2551 /* Cipher C022 */
2552 {
2553 1,
2554 TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2555 TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
2556 SSL_kSRP,
2557 SSL_aDSS,
2558 SSL_AES256,
2559 SSL_SHA1,
2560 SSL_TLSV1,
2561 SSL_NOT_EXP|SSL_HIGH,
2562 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
2563 256,
2564 256,
2565 },
2566#endif /* OPENSSL_NO_SRP */
2567#ifndef OPENSSL_NO_ECDH
2568
2569 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
2570
2571 /* Cipher C023 */
2572 {
2573 1,
2574 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
2575 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
2576 SSL_kEECDH,
2577 SSL_aECDSA,
2578 SSL_AES128,
2579 SSL_SHA256,
2580 SSL_TLSV1_2,
2581 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2582 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2583 128,
2584 128,
2585 },
2586
2587 /* Cipher C024 */
2588 {
2589 1,
2590 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
2591 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
2592 SSL_kEECDH,
2593 SSL_aECDSA,
2594 SSL_AES256,
2595 SSL_SHA384,
2596 SSL_TLSV1_2,
2597 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2598 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2599 256,
2600 256,
2601 },
2602
2603 /* Cipher C025 */
2604 {
2605 1,
2606 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256,
2607 TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256,
2608 SSL_kECDHe,
2609 SSL_aECDH,
2610 SSL_AES128,
2611 SSL_SHA256,
2612 SSL_TLSV1_2,
2613 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2614 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2615 128,
2616 128,
2617 },
2618
2619 /* Cipher C026 */
2620 {
2621 1,
2622 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384,
2623 TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384,
2624 SSL_kECDHe,
2625 SSL_aECDH,
2626 SSL_AES256,
2627 SSL_SHA384,
2628 SSL_TLSV1_2,
2629 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2630 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2631 256,
2632 256,
2633 },
2634
2635 /* Cipher C027 */
2636 {
2637 1,
2638 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
2639 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
2640 SSL_kEECDH,
2641 SSL_aRSA,
2642 SSL_AES128,
2643 SSL_SHA256,
2644 SSL_TLSV1_2,
2645 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2646 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2647 128,
2648 128,
2649 },
2650
2651 /* Cipher C028 */
2652 {
2653 1,
2654 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
2655 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
2656 SSL_kEECDH,
2657 SSL_aRSA,
2658 SSL_AES256,
2659 SSL_SHA384,
2660 SSL_TLSV1_2,
2661 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2662 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2663 256,
2664 256,
2665 },
2666
2667 /* Cipher C029 */
2668 {
2669 1,
2670 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
2671 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
2672 SSL_kECDHe,
2673 SSL_aECDH,
2674 SSL_AES128,
2675 SSL_SHA256,
2676 SSL_TLSV1_2,
2677 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2678 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2679 128,
2680 128,
2681 },
2682
2683 /* Cipher C02A */
2684 {
2685 1,
2686 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
2687 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
2688 SSL_kECDHe,
2689 SSL_aECDH,
2690 SSL_AES256,
2691 SSL_SHA384,
2692 SSL_TLSV1_2,
2693 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2694 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2695 256,
2696 256,
2697 },
2698
2699 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
2700
2701 /* Cipher C02B */
2702 {
2703 1,
2704 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2705 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
2706 SSL_kEECDH,
2707 SSL_aECDSA,
2708 SSL_AES128GCM,
2709 SSL_AEAD,
2710 SSL_TLSV1_2,
2711 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2712 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2713 128,
2714 128,
2715 },
2716
2717 /* Cipher C02C */
2718 {
2719 1,
2720 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
2721 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
2722 SSL_kEECDH,
2723 SSL_aECDSA,
2724 SSL_AES256GCM,
2725 SSL_AEAD,
2726 SSL_TLSV1_2,
2727 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2728 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2729 256,
2730 256,
2731 },
2732
2733 /* Cipher C02D */
2734 {
2735 1,
2736 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
2737 TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
2738 SSL_kECDHe,
2739 SSL_aECDH,
2740 SSL_AES128GCM,
2741 SSL_AEAD,
2742 SSL_TLSV1_2,
2743 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2744 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2745 128,
2746 128,
2747 },
2748
2749 /* Cipher C02E */
2750 {
2751 1,
2752 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
2753 TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
2754 SSL_kECDHe,
2755 SSL_aECDH,
2756 SSL_AES256GCM,
2757 SSL_AEAD,
2758 SSL_TLSV1_2,
2759 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2760 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2761 256,
2762 256,
2763 },
2764
2765 /* Cipher C02F */
2766 {
2767 1,
2768 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2769 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
2770 SSL_kEECDH,
2771 SSL_aRSA,
2772 SSL_AES128GCM,
2773 SSL_AEAD,
2774 SSL_TLSV1_2,
2775 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2776 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2777 128,
2778 128,
2779 },
2780
2781 /* Cipher C030 */
2782 {
2783 1,
2784 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2785 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
2786 SSL_kEECDH,
2787 SSL_aRSA,
2788 SSL_AES256GCM,
2789 SSL_AEAD,
2790 SSL_TLSV1_2,
2791 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2792 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2793 256,
2794 256,
2795 },
2796
2797 /* Cipher C031 */
2798 {
2799 1,
2800 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2801 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2802 SSL_kECDHe,
2803 SSL_aECDH,
2804 SSL_AES128GCM,
2805 SSL_AEAD,
2806 SSL_TLSV1_2,
2807 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2808 SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256,
2809 128,
2810 128,
2811 },
2812
2813 /* Cipher C032 */
2814 {
2815 1,
2816 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2817 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2818 SSL_kECDHe,
2819 SSL_aECDH,
2820 SSL_AES256GCM,
2821 SSL_AEAD,
2822 SSL_TLSV1_2,
2823 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
2824 SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384,
2825 256,
2826 256,
2827 },
2828
2829#endif /* OPENSSL_NO_ECDH */
2830
2831
2015#ifdef TEMP_GOST_TLS 2832#ifdef TEMP_GOST_TLS
2016/* Cipher FF00 */ 2833/* Cipher FF00 */
2017 { 2834 {
@@ -2087,6 +2904,9 @@ SSL3_ENC_METHOD SSLv3_enc_data={
2087 SSL3_MD_CLIENT_FINISHED_CONST,4, 2904 SSL3_MD_CLIENT_FINISHED_CONST,4,
2088 SSL3_MD_SERVER_FINISHED_CONST,4, 2905 SSL3_MD_SERVER_FINISHED_CONST,4,
2089 ssl3_alert_code, 2906 ssl3_alert_code,
2907 (int (*)(SSL *, unsigned char *, size_t, const char *,
2908 size_t, const unsigned char *, size_t,
2909 int use_context))ssl_undefined_function,
2090 }; 2910 };
2091 2911
2092long ssl3_default_timeout(void) 2912long ssl3_default_timeout(void)
@@ -2128,6 +2948,9 @@ int ssl3_new(SSL *s)
2128 2948
2129 s->s3=s3; 2949 s->s3=s3;
2130 2950
2951#ifndef OPENSSL_NO_SRP
2952 SSL_SRP_CTX_init(s);
2953#endif
2131 s->method->ssl_clear(s); 2954 s->method->ssl_clear(s);
2132 return(1); 2955 return(1);
2133err: 2956err:
@@ -2168,6 +2991,9 @@ void ssl3_free(SSL *s)
2168 BIO_free(s->s3->handshake_buffer); 2991 BIO_free(s->s3->handshake_buffer);
2169 } 2992 }
2170 if (s->s3->handshake_dgst) ssl3_free_digest_list(s); 2993 if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
2994#ifndef OPENSSL_NO_SRP
2995 SSL_SRP_CTX_free(s);
2996#endif
2171 OPENSSL_cleanse(s->s3,sizeof *s->s3); 2997 OPENSSL_cleanse(s->s3,sizeof *s->s3);
2172 OPENSSL_free(s->s3); 2998 OPENSSL_free(s->s3);
2173 s->s3=NULL; 2999 s->s3=NULL;
@@ -2239,8 +3065,24 @@ void ssl3_clear(SSL *s)
2239 s->s3->num_renegotiations=0; 3065 s->s3->num_renegotiations=0;
2240 s->s3->in_read_app_data=0; 3066 s->s3->in_read_app_data=0;
2241 s->version=SSL3_VERSION; 3067 s->version=SSL3_VERSION;
3068
3069#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
3070 if (s->next_proto_negotiated)
3071 {
3072 OPENSSL_free(s->next_proto_negotiated);
3073 s->next_proto_negotiated = NULL;
3074 s->next_proto_negotiated_len = 0;
3075 }
3076#endif
2242 } 3077 }
2243 3078
3079#ifndef OPENSSL_NO_SRP
3080static char * MS_CALLBACK srp_password_from_info_cb(SSL *s, void *arg)
3081 {
3082 return BUF_strdup(s->srp_ctx.info) ;
3083 }
3084#endif
3085
2244long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 3086long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2245 { 3087 {
2246 int ret=0; 3088 int ret=0;
@@ -2486,6 +3328,27 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
2486 ret = 1; 3328 ret = 1;
2487 break; 3329 break;
2488 3330
3331#ifndef OPENSSL_NO_HEARTBEATS
3332 case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
3333 if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
3334 ret = dtls1_heartbeat(s);
3335 else
3336 ret = tls1_heartbeat(s);
3337 break;
3338
3339 case SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING:
3340 ret = s->tlsext_hb_pending;
3341 break;
3342
3343 case SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS:
3344 if (larg)
3345 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
3346 else
3347 s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
3348 ret = 1;
3349 break;
3350#endif
3351
2489#endif /* !OPENSSL_NO_TLSEXT */ 3352#endif /* !OPENSSL_NO_TLSEXT */
2490 default: 3353 default:
2491 break; 3354 break;
@@ -2718,6 +3581,38 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2718 return 1; 3581 return 1;
2719 break; 3582 break;
2720 3583
3584#ifndef OPENSSL_NO_SRP
3585 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
3586 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3587 if (ctx->srp_ctx.login != NULL)
3588 OPENSSL_free(ctx->srp_ctx.login);
3589 ctx->srp_ctx.login = NULL;
3590 if (parg == NULL)
3591 break;
3592 if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1)
3593 {
3594 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
3595 return 0;
3596 }
3597 if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL)
3598 {
3599 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
3600 return 0;
3601 }
3602 break;
3603 case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
3604 ctx->srp_ctx.SRP_give_srp_client_pwd_callback=srp_password_from_info_cb;
3605 ctx->srp_ctx.info=parg;
3606 break;
3607 case SSL_CTRL_SET_SRP_ARG:
3608 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3609 ctx->srp_ctx.SRP_cb_arg=parg;
3610 break;
3611
3612 case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
3613 ctx->srp_ctx.strength=larg;
3614 break;
3615#endif
2721#endif /* !OPENSSL_NO_TLSEXT */ 3616#endif /* !OPENSSL_NO_TLSEXT */
2722 3617
2723 /* A Thawte special :-) */ 3618 /* A Thawte special :-) */
@@ -2730,6 +3625,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
2730 sk_X509_push(ctx->extra_certs,(X509 *)parg); 3625 sk_X509_push(ctx->extra_certs,(X509 *)parg);
2731 break; 3626 break;
2732 3627
3628 case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
3629 *(STACK_OF(X509) **)parg = ctx->extra_certs;
3630 break;
3631
3632 case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
3633 if (ctx->extra_certs)
3634 {
3635 sk_X509_pop_free(ctx->extra_certs, X509_free);
3636 ctx->extra_certs = NULL;
3637 }
3638 break;
3639
2733 default: 3640 default:
2734 return(0); 3641 return(0);
2735 } 3642 }
@@ -2787,6 +3694,20 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
2787 HMAC_CTX *, int))fp; 3694 HMAC_CTX *, int))fp;
2788 break; 3695 break;
2789 3696
3697#ifndef OPENSSL_NO_SRP
3698 case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
3699 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3700 ctx->srp_ctx.SRP_verify_param_callback=(int (*)(SSL *,void *))fp;
3701 break;
3702 case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
3703 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3704 ctx->srp_ctx.TLS_ext_srp_username_callback=(int (*)(SSL *,int *,void *))fp;
3705 break;
3706 case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
3707 ctx->srp_ctx.srp_Mask|=SSL_kSRP;
3708 ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
3709 break;
3710#endif
2790#endif 3711#endif
2791 default: 3712 default:
2792 return(0); 3713 return(0);
@@ -2805,6 +3726,9 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
2805 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; 3726 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
2806 c.id=id; 3727 c.id=id;
2807 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); 3728 cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
3729#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
3730if (cp == NULL) fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]);
3731#endif
2808 if (cp == NULL || cp->valid == 0) 3732 if (cp == NULL || cp->valid == 0)
2809 return NULL; 3733 return NULL;
2810 else 3734 else
@@ -2882,11 +3806,20 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
2882 { 3806 {
2883 c=sk_SSL_CIPHER_value(prio,i); 3807 c=sk_SSL_CIPHER_value(prio,i);
2884 3808
3809 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
3810 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
3811 (TLS1_get_version(s) < TLS1_2_VERSION))
3812 continue;
3813
2885 ssl_set_cert_masks(cert,c); 3814 ssl_set_cert_masks(cert,c);
2886 mask_k = cert->mask_k; 3815 mask_k = cert->mask_k;
2887 mask_a = cert->mask_a; 3816 mask_a = cert->mask_a;
2888 emask_k = cert->export_mask_k; 3817 emask_k = cert->export_mask_k;
2889 emask_a = cert->export_mask_a; 3818 emask_a = cert->export_mask_a;
3819#ifndef OPENSSL_NO_SRP
3820 mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
3821 emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
3822#endif
2890 3823
2891#ifdef KSSL_DEBUG 3824#ifdef KSSL_DEBUG
2892/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ 3825/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
@@ -3335,4 +4268,15 @@ need to go to SSL_ST_ACCEPT.
3335 } 4268 }
3336 return(ret); 4269 return(ret);
3337 } 4270 }
3338 4271/* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch
4272 * to new SHA256 PRF and handshake macs
4273 */
4274long ssl_get_algorithm2(SSL *s)
4275 {
4276 long alg2 = s->s3->tmp.new_cipher->algorithm2;
4277 if (TLS1_get_version(s) >= TLS1_2_VERSION &&
4278 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
4279 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
4280 return alg2;
4281 }
4282
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index f9b3629cf7..adf8c387cc 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -115,6 +115,7 @@
115#include "ssl_locl.h" 115#include "ssl_locl.h"
116#include <openssl/evp.h> 116#include <openssl/evp.h>
117#include <openssl/buffer.h> 117#include <openssl/buffer.h>
118#include <openssl/rand.h>
118 119
119static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, 120static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
120 unsigned int len, int create_empty_fragment); 121 unsigned int len, int create_empty_fragment);
@@ -630,6 +631,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
630 unsigned char *p,*plen; 631 unsigned char *p,*plen;
631 int i,mac_size,clear=0; 632 int i,mac_size,clear=0;
632 int prefix_len=0; 633 int prefix_len=0;
634 int eivlen;
633 long align=0; 635 long align=0;
634 SSL3_RECORD *wr; 636 SSL3_RECORD *wr;
635 SSL3_BUFFER *wb=&(s->s3->wbuf); 637 SSL3_BUFFER *wb=&(s->s3->wbuf);
@@ -662,10 +664,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
662 if ( (sess == NULL) || 664 if ( (sess == NULL) ||
663 (s->enc_write_ctx == NULL) || 665 (s->enc_write_ctx == NULL) ||
664 (EVP_MD_CTX_md(s->write_hash) == NULL)) 666 (EVP_MD_CTX_md(s->write_hash) == NULL))
667 {
668#if 1
669 clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */
670#else
665 clear=1; 671 clear=1;
666 672#endif
667 if (clear)
668 mac_size=0; 673 mac_size=0;
674 }
669 else 675 else
670 { 676 {
671 mac_size=EVP_MD_CTX_size(s->write_hash); 677 mac_size=EVP_MD_CTX_size(s->write_hash);
@@ -734,14 +740,39 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
734 wr->type=type; 740 wr->type=type;
735 741
736 *(p++)=(s->version>>8); 742 *(p++)=(s->version>>8);
737 *(p++)=s->version&0xff; 743 /* Some servers hang if iniatial client hello is larger than 256
744 * bytes and record version number > TLS 1.0
745 */
746 if (s->state == SSL3_ST_CW_CLNT_HELLO_B
747 && TLS1_get_version(s) > TLS1_VERSION)
748 *(p++) = 0x1;
749 else
750 *(p++)=s->version&0xff;
738 751
739 /* field where we are to write out packet length */ 752 /* field where we are to write out packet length */
740 plen=p; 753 plen=p;
741 p+=2; 754 p+=2;
755 /* Explicit IV length, block ciphers and TLS version 1.1 or later */
756 if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
757 {
758 int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
759 if (mode == EVP_CIPH_CBC_MODE)
760 {
761 eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
762 if (eivlen <= 1)
763 eivlen = 0;
764 }
765 /* Need explicit part of IV for GCM mode */
766 else if (mode == EVP_CIPH_GCM_MODE)
767 eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
768 else
769 eivlen = 0;
770 }
771 else
772 eivlen = 0;
742 773
743 /* lets setup the record stuff. */ 774 /* lets setup the record stuff. */
744 wr->data=p; 775 wr->data=p + eivlen;
745 wr->length=(int)len; 776 wr->length=(int)len;
746 wr->input=(unsigned char *)buf; 777 wr->input=(unsigned char *)buf;
747 778
@@ -769,11 +800,19 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
769 800
770 if (mac_size != 0) 801 if (mac_size != 0)
771 { 802 {
772 if (s->method->ssl3_enc->mac(s,&(p[wr->length]),1) < 0) 803 if (s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
773 goto err; 804 goto err;
774 wr->length+=mac_size; 805 wr->length+=mac_size;
775 wr->input=p; 806 }
776 wr->data=p; 807
808 wr->input=p;
809 wr->data=p;
810
811 if (eivlen)
812 {
813 /* if (RAND_pseudo_bytes(p, eivlen) <= 0)
814 goto err; */
815 wr->length += eivlen;
777 } 816 }
778 817
779 /* ssl3_enc can only have an error on read */ 818 /* ssl3_enc can only have an error on read */
@@ -1042,6 +1081,19 @@ start:
1042 dest = s->s3->alert_fragment; 1081 dest = s->s3->alert_fragment;
1043 dest_len = &s->s3->alert_fragment_len; 1082 dest_len = &s->s3->alert_fragment_len;
1044 } 1083 }
1084#ifndef OPENSSL_NO_HEARTBEATS
1085 else if (rr->type == TLS1_RT_HEARTBEAT)
1086 {
1087 tls1_process_heartbeat(s);
1088
1089 /* Exit and notify application to read again */
1090 rr->length = 0;
1091 s->rwstate=SSL_READING;
1092 BIO_clear_retry_flags(SSL_get_rbio(s));
1093 BIO_set_retry_read(SSL_get_rbio(s));
1094 return(-1);
1095 }
1096#endif
1045 1097
1046 if (dest_maxlen > 0) 1098 if (dest_maxlen > 0)
1047 { 1099 {
@@ -1185,6 +1237,10 @@ start:
1185 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); 1237 SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
1186 goto f_err; 1238 goto f_err;
1187 } 1239 }
1240#ifdef SSL_AD_MISSING_SRP_USERNAME
1241 if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1242 return(0);
1243#endif
1188 } 1244 }
1189 else if (alert_level == 2) /* fatal */ 1245 else if (alert_level == 2) /* fatal */
1190 { 1246 {
@@ -1263,6 +1319,7 @@ start:
1263#else 1319#else
1264 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1320 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1265#endif 1321#endif
1322 s->renegotiate=1;
1266 s->new_session=1; 1323 s->new_session=1;
1267 } 1324 }
1268 i=s->handshake_func(s); 1325 i=s->handshake_func(s);
@@ -1296,8 +1353,10 @@ start:
1296 { 1353 {
1297 default: 1354 default:
1298#ifndef OPENSSL_NO_TLS 1355#ifndef OPENSSL_NO_TLS
1299 /* TLS just ignores unknown message types */ 1356 /* TLS up to v1.1 just ignores unknown message types:
1300 if (s->version == TLS1_VERSION) 1357 * TLS v1.2 give an unexpected message alert.
1358 */
1359 if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
1301 { 1360 {
1302 rr->length = 0; 1361 rr->length = 0;
1303 goto start; 1362 goto start;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index d734c359fb..118939fabb 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -179,6 +179,31 @@ static const SSL_METHOD *ssl3_get_server_method(int ver)
179 return(NULL); 179 return(NULL);
180 } 180 }
181 181
182#ifndef OPENSSL_NO_SRP
183static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
184 {
185 int ret = SSL_ERROR_NONE;
186
187 *al = SSL_AD_UNRECOGNIZED_NAME;
188
189 if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
190 (s->srp_ctx.TLS_ext_srp_username_callback != NULL))
191 {
192 if(s->srp_ctx.login == NULL)
193 {
194 /* There isn't any srp login extension !!! */
195 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 }
198 else
199 {
200 ret = SSL_srp_server_param_with_username(s,al);
201 }
202 }
203 return ret;
204 }
205#endif
206
182IMPLEMENT_ssl3_meth_func(SSLv3_server_method, 207IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
183 ssl3_accept, 208 ssl3_accept,
184 ssl_undefined_function, 209 ssl_undefined_function,
@@ -211,6 +236,18 @@ int ssl3_accept(SSL *s)
211 return(-1); 236 return(-1);
212 } 237 }
213 238
239#ifndef OPENSSL_NO_HEARTBEATS
240 /* If we're awaiting a HeartbeatResponse, pretend we
241 * already got and don't await it anymore, because
242 * Heartbeats don't make sense during handshakes anyway.
243 */
244 if (s->tlsext_hb_pending)
245 {
246 s->tlsext_hb_pending = 0;
247 s->tlsext_hb_seq++;
248 }
249#endif
250
214 for (;;) 251 for (;;)
215 { 252 {
216 state=s->state; 253 state=s->state;
@@ -218,7 +255,7 @@ int ssl3_accept(SSL *s)
218 switch (s->state) 255 switch (s->state)
219 { 256 {
220 case SSL_ST_RENEGOTIATE: 257 case SSL_ST_RENEGOTIATE:
221 s->new_session=1; 258 s->renegotiate=1;
222 /* s->state=SSL_ST_ACCEPT; */ 259 /* s->state=SSL_ST_ACCEPT; */
223 260
224 case SSL_ST_BEFORE: 261 case SSL_ST_BEFORE:
@@ -314,10 +351,34 @@ int ssl3_accept(SSL *s)
314 case SSL3_ST_SR_CLNT_HELLO_C: 351 case SSL3_ST_SR_CLNT_HELLO_C:
315 352
316 s->shutdown=0; 353 s->shutdown=0;
317 ret=ssl3_get_client_hello(s); 354 if (s->rwstate != SSL_X509_LOOKUP)
318 if (ret <= 0) goto end; 355 {
319 356 ret=ssl3_get_client_hello(s);
320 s->new_session = 2; 357 if (ret <= 0) goto end;
358 }
359#ifndef OPENSSL_NO_SRP
360 {
361 int al;
362 if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0)
363 {
364 /* callback indicates firther work to be done */
365 s->rwstate=SSL_X509_LOOKUP;
366 goto end;
367 }
368 if (ret != SSL_ERROR_NONE)
369 {
370 ssl3_send_alert(s,SSL3_AL_FATAL,al);
371 /* This is not really an error but the only means to
372 for a client to detect whether srp is supported. */
373 if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
374 SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
375 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
376 ret= -1;
377 goto end;
378 }
379 }
380#endif
381 s->renegotiate = 2;
321 s->state=SSL3_ST_SW_SRVR_HELLO_A; 382 s->state=SSL3_ST_SW_SRVR_HELLO_A;
322 s->init_num=0; 383 s->init_num=0;
323 break; 384 break;
@@ -346,7 +407,7 @@ int ssl3_accept(SSL *s)
346 case SSL3_ST_SW_CERT_A: 407 case SSL3_ST_SW_CERT_A:
347 case SSL3_ST_SW_CERT_B: 408 case SSL3_ST_SW_CERT_B:
348 /* Check if it is anon DH or anon ECDH, */ 409 /* Check if it is anon DH or anon ECDH, */
349 /* normal PSK or KRB5 */ 410 /* normal PSK or KRB5 or SRP */
350 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 411 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
351 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) 412 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
352 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) 413 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
@@ -411,6 +472,10 @@ int ssl3_accept(SSL *s)
411#ifndef OPENSSL_NO_PSK 472#ifndef OPENSSL_NO_PSK
412 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 473 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
413#endif 474#endif
475#ifndef OPENSSL_NO_SRP
476 /* SRP: send ServerKeyExchange */
477 || (alg_k & SSL_kSRP)
478#endif
414 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) 479 || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
415 || (alg_k & SSL_kEECDH) 480 || (alg_k & SSL_kEECDH)
416 || ((alg_k & SSL_kRSA) 481 || ((alg_k & SSL_kRSA)
@@ -457,6 +522,9 @@ int ssl3_accept(SSL *s)
457 skip=1; 522 skip=1;
458 s->s3->tmp.cert_request=0; 523 s->s3->tmp.cert_request=0;
459 s->state=SSL3_ST_SW_SRVR_DONE_A; 524 s->state=SSL3_ST_SW_SRVR_DONE_A;
525 if (s->s3->handshake_buffer)
526 if (!ssl3_digest_cached_records(s))
527 return -1;
460 } 528 }
461 else 529 else
462 { 530 {
@@ -539,9 +607,34 @@ int ssl3_accept(SSL *s)
539 * the client uses its key from the certificate 607 * the client uses its key from the certificate
540 * for key exchange. 608 * for key exchange.
541 */ 609 */
610#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
542 s->state=SSL3_ST_SR_FINISHED_A; 611 s->state=SSL3_ST_SR_FINISHED_A;
612#else
613 if (s->s3->next_proto_neg_seen)
614 s->state=SSL3_ST_SR_NEXT_PROTO_A;
615 else
616 s->state=SSL3_ST_SR_FINISHED_A;
617#endif
543 s->init_num = 0; 618 s->init_num = 0;
544 } 619 }
620 else if (TLS1_get_version(s) >= TLS1_2_VERSION)
621 {
622 s->state=SSL3_ST_SR_CERT_VRFY_A;
623 s->init_num=0;
624 if (!s->session->peer)
625 break;
626 /* For TLS v1.2 freeze the handshake buffer
627 * at this point and digest cached records.
628 */
629 if (!s->s3->handshake_buffer)
630 {
631 SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
632 return -1;
633 }
634 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
635 if (!ssl3_digest_cached_records(s))
636 return -1;
637 }
545 else 638 else
546 { 639 {
547 int offset=0; 640 int offset=0;
@@ -582,23 +675,37 @@ int ssl3_accept(SSL *s)
582 ret=ssl3_get_cert_verify(s); 675 ret=ssl3_get_cert_verify(s);
583 if (ret <= 0) goto end; 676 if (ret <= 0) goto end;
584 677
678#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
585 s->state=SSL3_ST_SR_FINISHED_A; 679 s->state=SSL3_ST_SR_FINISHED_A;
680#else
681 if (s->s3->next_proto_neg_seen)
682 s->state=SSL3_ST_SR_NEXT_PROTO_A;
683 else
684 s->state=SSL3_ST_SR_FINISHED_A;
685#endif
586 s->init_num=0; 686 s->init_num=0;
587 break; 687 break;
588 688
689#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
690 case SSL3_ST_SR_NEXT_PROTO_A:
691 case SSL3_ST_SR_NEXT_PROTO_B:
692 ret=ssl3_get_next_proto(s);
693 if (ret <= 0) goto end;
694 s->init_num = 0;
695 s->state=SSL3_ST_SR_FINISHED_A;
696 break;
697#endif
698
589 case SSL3_ST_SR_FINISHED_A: 699 case SSL3_ST_SR_FINISHED_A:
590 case SSL3_ST_SR_FINISHED_B: 700 case SSL3_ST_SR_FINISHED_B:
591 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 701 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
592 SSL3_ST_SR_FINISHED_B); 702 SSL3_ST_SR_FINISHED_B);
593 if (ret <= 0) goto end; 703 if (ret <= 0) goto end;
594#ifndef OPENSSL_NO_TLSEXT
595 if (s->tlsext_ticket_expected)
596 s->state=SSL3_ST_SW_SESSION_TICKET_A;
597 else if (s->hit)
598 s->state=SSL_ST_OK;
599#else
600 if (s->hit) 704 if (s->hit)
601 s->state=SSL_ST_OK; 705 s->state=SSL_ST_OK;
706#ifndef OPENSSL_NO_TLSEXT
707 else if (s->tlsext_ticket_expected)
708 s->state=SSL3_ST_SW_SESSION_TICKET_A;
602#endif 709#endif
603 else 710 else
604 s->state=SSL3_ST_SW_CHANGE_A; 711 s->state=SSL3_ST_SW_CHANGE_A;
@@ -656,7 +763,16 @@ int ssl3_accept(SSL *s)
656 if (ret <= 0) goto end; 763 if (ret <= 0) goto end;
657 s->state=SSL3_ST_SW_FLUSH; 764 s->state=SSL3_ST_SW_FLUSH;
658 if (s->hit) 765 if (s->hit)
766 {
767#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
659 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 768 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
769#else
770 if (s->s3->next_proto_neg_seen)
771 s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
772 else
773 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
774#endif
775 }
660 else 776 else
661 s->s3->tmp.next_state=SSL_ST_OK; 777 s->s3->tmp.next_state=SSL_ST_OK;
662 s->init_num=0; 778 s->init_num=0;
@@ -674,11 +790,9 @@ int ssl3_accept(SSL *s)
674 790
675 s->init_num=0; 791 s->init_num=0;
676 792
677 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 793 if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
678 { 794 {
679 /* actually not necessarily a 'new' session unless 795 s->renegotiate=0;
680 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
681
682 s->new_session=0; 796 s->new_session=0;
683 797
684 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 798 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
@@ -756,14 +870,6 @@ int ssl3_check_client_hello(SSL *s)
756 int ok; 870 int ok;
757 long n; 871 long n;
758 872
759 /* We only allow the client to restart the handshake once per
760 * negotiation. */
761 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
762 {
763 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
764 return -1;
765 }
766
767 /* this function is called when we really expect a Certificate message, 873 /* this function is called when we really expect a Certificate message,
768 * so permit appropriate message length */ 874 * so permit appropriate message length */
769 n=s->method->ssl_get_message(s, 875 n=s->method->ssl_get_message(s,
@@ -776,6 +882,13 @@ int ssl3_check_client_hello(SSL *s)
776 s->s3->tmp.reuse_message = 1; 882 s->s3->tmp.reuse_message = 1;
777 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) 883 if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
778 { 884 {
885 /* We only allow the client to restart the handshake once per
886 * negotiation. */
887 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
888 {
889 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
890 return -1;
891 }
779 /* Throw away what we have done so far in the current handshake, 892 /* Throw away what we have done so far in the current handshake,
780 * which will now be aborted. (A full SSL_clear would be too much.) */ 893 * which will now be aborted. (A full SSL_clear would be too much.) */
781#ifndef OPENSSL_NO_DH 894#ifndef OPENSSL_NO_DH
@@ -817,7 +930,8 @@ int ssl3_get_client_hello(SSL *s)
817 * If we are SSLv3, we will respond with SSLv3, even if prompted with 930 * If we are SSLv3, we will respond with SSLv3, even if prompted with
818 * TLSv1. 931 * TLSv1.
819 */ 932 */
820 if (s->state == SSL3_ST_SR_CLNT_HELLO_A) 933 if (s->state == SSL3_ST_SR_CLNT_HELLO_A
934 )
821 { 935 {
822 s->state=SSL3_ST_SR_CLNT_HELLO_B; 936 s->state=SSL3_ST_SR_CLNT_HELLO_B;
823 } 937 }
@@ -874,13 +988,16 @@ int ssl3_get_client_hello(SSL *s)
874 j= *(p++); 988 j= *(p++);
875 989
876 s->hit=0; 990 s->hit=0;
877 /* Versions before 0.9.7 always allow session reuse during renegotiation 991 /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
878 * (i.e. when s->new_session is true), option 992 * 0.9.7 and later allow this by default, but optionally ignore resumption requests
879 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. 993 * with flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
880 * Maybe this optional behaviour should always have been the default, 994 * than a change to default behavior so that applications relying on this for security
881 * but we cannot safely change the default behaviour (or new applications 995 * won't even compile against older library versions).
882 * might be written that become totally unsecure when compiled with 996 *
883 * an earlier library version) 997 * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to request
998 * renegotiation but not a new session (s->new_session remains unset): for servers,
999 * this essentially just means that the SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
1000 * setting will be ignored.
884 */ 1001 */
885 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) 1002 if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
886 { 1003 {
@@ -1269,8 +1386,11 @@ int ssl3_get_client_hello(SSL *s)
1269 s->s3->tmp.new_cipher=s->session->cipher; 1386 s->s3->tmp.new_cipher=s->session->cipher;
1270 } 1387 }
1271 1388
1272 if (!ssl3_digest_cached_records(s)) 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
1273 goto f_err; 1390 {
1391 if (!ssl3_digest_cached_records(s))
1392 goto f_err;
1393 }
1274 1394
1275 /* we now have the following setup. 1395 /* we now have the following setup.
1276 * client_random 1396 * client_random
@@ -1325,20 +1445,20 @@ int ssl3_send_server_hello(SSL *s)
1325 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 1445 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1326 p+=SSL3_RANDOM_SIZE; 1446 p+=SSL3_RANDOM_SIZE;
1327 1447
1328 /* now in theory we have 3 options to sending back the 1448 /* There are several cases for the session ID to send
1329 * session id. If it is a re-use, we send back the 1449 * back in the server hello:
1330 * old session-id, if it is a new session, we send 1450 * - For session reuse from the session cache,
1331 * back the new session-id or we send back a 0 length 1451 * we send back the old session ID.
1332 * session-id if we want it to be single use. 1452 * - If stateless session reuse (using a session ticket)
1333 * Currently I will not implement the '0' length session-id 1453 * is successful, we send back the client's "session ID"
1334 * 12-Jan-98 - I'll now support the '0' length stuff. 1454 * (which doesn't actually identify the session).
1335 * 1455 * - If it is a new session, we send back the new
1336 * We also have an additional case where stateless session 1456 * session ID.
1337 * resumption is successful: we always send back the old 1457 * - However, if we want the new session to be single-use,
1338 * session id. In this case s->hit is non zero: this can 1458 * we send back a 0-length session ID.
1339 * only happen if stateless session resumption is succesful 1459 * s->hit is non-zero in either case of session reuse,
1340 * if session caching is disabled so existing functionality 1460 * so the following won't overwrite an ID that we're supposed
1341 * is unaffected. 1461 * to send back.
1342 */ 1462 */
1343 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 1463 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
1344 && !s->hit) 1464 && !s->hit)
@@ -1439,6 +1559,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1439 BN_CTX *bn_ctx = NULL; 1559 BN_CTX *bn_ctx = NULL;
1440#endif 1560#endif
1441 EVP_PKEY *pkey; 1561 EVP_PKEY *pkey;
1562 const EVP_MD *md = NULL;
1442 unsigned char *p,*d; 1563 unsigned char *p,*d;
1443 int al,i; 1564 int al,i;
1444 unsigned long type; 1565 unsigned long type;
@@ -1679,21 +1800,44 @@ int ssl3_send_server_key_exchange(SSL *s)
1679 } 1800 }
1680 else 1801 else
1681#endif /* !OPENSSL_NO_PSK */ 1802#endif /* !OPENSSL_NO_PSK */
1803#ifndef OPENSSL_NO_SRP
1804 if (type & SSL_kSRP)
1805 {
1806 if ((s->srp_ctx.N == NULL) ||
1807 (s->srp_ctx.g == NULL) ||
1808 (s->srp_ctx.s == NULL) ||
1809 (s->srp_ctx.B == NULL))
1810 {
1811 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_SRP_PARAM);
1812 goto err;
1813 }
1814 r[0]=s->srp_ctx.N;
1815 r[1]=s->srp_ctx.g;
1816 r[2]=s->srp_ctx.s;
1817 r[3]=s->srp_ctx.B;
1818 }
1819 else
1820#endif
1682 { 1821 {
1683 al=SSL_AD_HANDSHAKE_FAILURE; 1822 al=SSL_AD_HANDSHAKE_FAILURE;
1684 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1685 goto f_err; 1824 goto f_err;
1686 } 1825 }
1687 for (i=0; r[i] != NULL; i++) 1826 for (i=0; r[i] != NULL && i<4; i++)
1688 { 1827 {
1689 nr[i]=BN_num_bytes(r[i]); 1828 nr[i]=BN_num_bytes(r[i]);
1829#ifndef OPENSSL_NO_SRP
1830 if ((i == 2) && (type & SSL_kSRP))
1831 n+=1+nr[i];
1832 else
1833#endif
1690 n+=2+nr[i]; 1834 n+=2+nr[i];
1691 } 1835 }
1692 1836
1693 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1837 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1694 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 1838 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1695 { 1839 {
1696 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 1840 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher,&md))
1697 == NULL) 1841 == NULL)
1698 { 1842 {
1699 al=SSL_AD_DECODE_ERROR; 1843 al=SSL_AD_DECODE_ERROR;
@@ -1715,8 +1859,16 @@ int ssl3_send_server_key_exchange(SSL *s)
1715 d=(unsigned char *)s->init_buf->data; 1859 d=(unsigned char *)s->init_buf->data;
1716 p= &(d[4]); 1860 p= &(d[4]);
1717 1861
1718 for (i=0; r[i] != NULL; i++) 1862 for (i=0; r[i] != NULL && i<4; i++)
1719 { 1863 {
1864#ifndef OPENSSL_NO_SRP
1865 if ((i == 2) && (type & SSL_kSRP))
1866 {
1867 *p = nr[i];
1868 p++;
1869 }
1870 else
1871#endif
1720 s2n(nr[i],p); 1872 s2n(nr[i],p);
1721 BN_bn2bin(r[i],p); 1873 BN_bn2bin(r[i],p);
1722 p+=nr[i]; 1874 p+=nr[i];
@@ -1764,12 +1916,15 @@ int ssl3_send_server_key_exchange(SSL *s)
1764 /* n is the length of the params, they start at &(d[4]) 1916 /* n is the length of the params, they start at &(d[4])
1765 * and p points to the space at the end. */ 1917 * and p points to the space at the end. */
1766#ifndef OPENSSL_NO_RSA 1918#ifndef OPENSSL_NO_RSA
1767 if (pkey->type == EVP_PKEY_RSA) 1919 if (pkey->type == EVP_PKEY_RSA
1920 && TLS1_get_version(s) < TLS1_2_VERSION)
1768 { 1921 {
1769 q=md_buf; 1922 q=md_buf;
1770 j=0; 1923 j=0;
1771 for (num=2; num > 0; num--) 1924 for (num=2; num > 0; num--)
1772 { 1925 {
1926 EVP_MD_CTX_set_flags(&md_ctx,
1927 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1773 EVP_DigestInit_ex(&md_ctx,(num == 2) 1928 EVP_DigestInit_ex(&md_ctx,(num == 2)
1774 ?s->ctx->md5:s->ctx->sha1, NULL); 1929 ?s->ctx->md5:s->ctx->sha1, NULL);
1775 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1930 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -1791,44 +1946,41 @@ int ssl3_send_server_key_exchange(SSL *s)
1791 } 1946 }
1792 else 1947 else
1793#endif 1948#endif
1794#if !defined(OPENSSL_NO_DSA) 1949 if (md)
1795 if (pkey->type == EVP_PKEY_DSA)
1796 { 1950 {
1797 /* lets do DSS */ 1951 /* For TLS1.2 and later send signature
1798 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1952 * algorithm */
1799 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1953 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1800 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1801 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1802 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1803 (unsigned int *)&i,pkey))
1804 { 1954 {
1805 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1955 if (!tls12_get_sigandhash(p, pkey, md))
1806 goto err; 1956 {
1957 /* Should never happen */
1958 al=SSL_AD_INTERNAL_ERROR;
1959 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
1960 goto f_err;
1961 }
1962 p+=2;
1807 } 1963 }
1808 s2n(i,p); 1964#ifdef SSL_DEBUG
1809 n+=i+2; 1965 fprintf(stderr, "Using hash %s\n",
1810 } 1966 EVP_MD_name(md));
1811 else
1812#endif 1967#endif
1813#if !defined(OPENSSL_NO_ECDSA) 1968 EVP_SignInit_ex(&md_ctx, md, NULL);
1814 if (pkey->type == EVP_PKEY_EC)
1815 {
1816 /* let's do ECDSA */
1817 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1818 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1969 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1819 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1970 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1820 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1971 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1821 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1972 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1822 (unsigned int *)&i,pkey)) 1973 (unsigned int *)&i,pkey))
1823 { 1974 {
1824 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA); 1975 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_EVP);
1825 goto err; 1976 goto err;
1826 } 1977 }
1827 s2n(i,p); 1978 s2n(i,p);
1828 n+=i+2; 1979 n+=i+2;
1980 if (TLS1_get_version(s) >= TLS1_2_VERSION)
1981 n+= 2;
1829 } 1982 }
1830 else 1983 else
1831#endif
1832 { 1984 {
1833 /* Is this error check actually needed? */ 1985 /* Is this error check actually needed? */
1834 al=SSL_AD_HANDSHAKE_FAILURE; 1986 al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1881,6 +2033,14 @@ int ssl3_send_certificate_request(SSL *s)
1881 p+=n; 2033 p+=n;
1882 n++; 2034 n++;
1883 2035
2036 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2037 {
2038 nl = tls12_get_req_sig_algs(s, p + 2);
2039 s2n(nl, p);
2040 p += nl + 2;
2041 n += nl + 2;
2042 }
2043
1884 off=n; 2044 off=n;
1885 p+=2; 2045 p+=2;
1886 n+=2; 2046 n+=2;
@@ -2600,6 +2760,44 @@ int ssl3_get_client_key_exchange(SSL *s)
2600 } 2760 }
2601 else 2761 else
2602#endif 2762#endif
2763#ifndef OPENSSL_NO_SRP
2764 if (alg_k & SSL_kSRP)
2765 {
2766 int param_len;
2767
2768 n2s(p,i);
2769 param_len=i+2;
2770 if (param_len > n)
2771 {
2772 al=SSL_AD_DECODE_ERROR;
2773 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_A_LENGTH);
2774 goto f_err;
2775 }
2776 if (!(s->srp_ctx.A=BN_bin2bn(p,i,NULL)))
2777 {
2778 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
2779 goto err;
2780 }
2781 if (s->session->srp_username != NULL)
2782 OPENSSL_free(s->session->srp_username);
2783 s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2784 if (s->session->srp_username == NULL)
2785 {
2786 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
2787 ERR_R_MALLOC_FAILURE);
2788 goto err;
2789 }
2790
2791 if ((s->session->master_key_length = SRP_generate_server_master_secret(s,s->session->master_key))<0)
2792 {
2793 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
2794 goto err;
2795 }
2796
2797 p+=i;
2798 }
2799 else
2800#endif /* OPENSSL_NO_SRP */
2603 if (alg_k & SSL_kGOST) 2801 if (alg_k & SSL_kGOST)
2604 { 2802 {
2605 int ret = 0; 2803 int ret = 0;
@@ -2683,7 +2881,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2683 return(1); 2881 return(1);
2684f_err: 2882f_err:
2685 ssl3_send_alert(s,SSL3_AL_FATAL,al); 2883 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2686#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) 2884#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_ECDH) || defined(OPENSSL_NO_SRP)
2687err: 2885err:
2688#endif 2886#endif
2689#ifndef OPENSSL_NO_ECDH 2887#ifndef OPENSSL_NO_ECDH
@@ -2704,12 +2902,15 @@ int ssl3_get_cert_verify(SSL *s)
2704 long n; 2902 long n;
2705 int type=0,i,j; 2903 int type=0,i,j;
2706 X509 *peer; 2904 X509 *peer;
2905 const EVP_MD *md = NULL;
2906 EVP_MD_CTX mctx;
2907 EVP_MD_CTX_init(&mctx);
2707 2908
2708 n=s->method->ssl_get_message(s, 2909 n=s->method->ssl_get_message(s,
2709 SSL3_ST_SR_CERT_VRFY_A, 2910 SSL3_ST_SR_CERT_VRFY_A,
2710 SSL3_ST_SR_CERT_VRFY_B, 2911 SSL3_ST_SR_CERT_VRFY_B,
2711 -1, 2912 -1,
2712 514, /* 514? */ 2913 516, /* Enough for 4096 bit RSA key with TLS v1.2 */
2713 &ok); 2914 &ok);
2714 2915
2715 if (!ok) return((int)n); 2916 if (!ok) return((int)n);
@@ -2729,7 +2930,7 @@ int ssl3_get_cert_verify(SSL *s)
2729 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) 2930 if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
2730 { 2931 {
2731 s->s3->tmp.reuse_message=1; 2932 s->s3->tmp.reuse_message=1;
2732 if ((peer != NULL) && (type | EVP_PKT_SIGN)) 2933 if ((peer != NULL) && (type & EVP_PKT_SIGN))
2733 { 2934 {
2734 al=SSL_AD_UNEXPECTED_MESSAGE; 2935 al=SSL_AD_UNEXPECTED_MESSAGE;
2735 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); 2936 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
@@ -2772,6 +2973,36 @@ int ssl3_get_cert_verify(SSL *s)
2772 } 2973 }
2773 else 2974 else
2774 { 2975 {
2976 if (TLS1_get_version(s) >= TLS1_2_VERSION)
2977 {
2978 int sigalg = tls12_get_sigid(pkey);
2979 /* Should never happen */
2980 if (sigalg == -1)
2981 {
2982 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
2983 al=SSL_AD_INTERNAL_ERROR;
2984 goto f_err;
2985 }
2986 /* Check key type is consistent with signature */
2987 if (sigalg != (int)p[1])
2988 {
2989 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_WRONG_SIGNATURE_TYPE);
2990 al=SSL_AD_DECODE_ERROR;
2991 goto f_err;
2992 }
2993 md = tls12_get_hash(p[0]);
2994 if (md == NULL)
2995 {
2996 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_UNKNOWN_DIGEST);
2997 al=SSL_AD_DECODE_ERROR;
2998 goto f_err;
2999 }
3000#ifdef SSL_DEBUG
3001fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
3002#endif
3003 p += 2;
3004 n -= 2;
3005 }
2775 n2s(p,i); 3006 n2s(p,i);
2776 n-=2; 3007 n-=2;
2777 if (i > n) 3008 if (i > n)
@@ -2789,6 +3020,37 @@ int ssl3_get_cert_verify(SSL *s)
2789 goto f_err; 3020 goto f_err;
2790 } 3021 }
2791 3022
3023 if (TLS1_get_version(s) >= TLS1_2_VERSION)
3024 {
3025 long hdatalen = 0;
3026 void *hdata;
3027 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
3028 if (hdatalen <= 0)
3029 {
3030 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
3031 al=SSL_AD_INTERNAL_ERROR;
3032 goto f_err;
3033 }
3034#ifdef SSL_DEBUG
3035 fprintf(stderr, "Using TLS 1.2 with client verify alg %s\n",
3036 EVP_MD_name(md));
3037#endif
3038 if (!EVP_VerifyInit_ex(&mctx, md, NULL)
3039 || !EVP_VerifyUpdate(&mctx, hdata, hdatalen))
3040 {
3041 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_EVP_LIB);
3042 al=SSL_AD_INTERNAL_ERROR;
3043 goto f_err;
3044 }
3045
3046 if (EVP_VerifyFinal(&mctx, p , i, pkey) <= 0)
3047 {
3048 al=SSL_AD_DECRYPT_ERROR;
3049 SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_SIGNATURE);
3050 goto f_err;
3051 }
3052 }
3053 else
2792#ifndef OPENSSL_NO_RSA 3054#ifndef OPENSSL_NO_RSA
2793 if (pkey->type == EVP_PKEY_RSA) 3055 if (pkey->type == EVP_PKEY_RSA)
2794 { 3056 {
@@ -2879,6 +3141,13 @@ f_err:
2879 ssl3_send_alert(s,SSL3_AL_FATAL,al); 3141 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2880 } 3142 }
2881end: 3143end:
3144 if (s->s3->handshake_buffer)
3145 {
3146 BIO_free(s->s3->handshake_buffer);
3147 s->s3->handshake_buffer = NULL;
3148 s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
3149 }
3150 EVP_MD_CTX_cleanup(&mctx);
2882 EVP_PKEY_free(pkey); 3151 EVP_PKEY_free(pkey);
2883 return(ret); 3152 return(ret);
2884 } 3153 }
@@ -2991,6 +3260,12 @@ int ssl3_get_client_certificate(SSL *s)
2991 al=SSL_AD_HANDSHAKE_FAILURE; 3260 al=SSL_AD_HANDSHAKE_FAILURE;
2992 goto f_err; 3261 goto f_err;
2993 } 3262 }
3263 /* No client certificate so digest cached records */
3264 if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s))
3265 {
3266 al=SSL_AD_INTERNAL_ERROR;
3267 goto f_err;
3268 }
2994 } 3269 }
2995 else 3270 else
2996 { 3271 {
@@ -3067,13 +3342,17 @@ int ssl3_send_server_certificate(SSL *s)
3067 /* SSL3_ST_SW_CERT_B */ 3342 /* SSL3_ST_SW_CERT_B */
3068 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3343 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3069 } 3344 }
3345
3070#ifndef OPENSSL_NO_TLSEXT 3346#ifndef OPENSSL_NO_TLSEXT
3347/* send a new session ticket (not necessarily for a new session) */
3071int ssl3_send_newsession_ticket(SSL *s) 3348int ssl3_send_newsession_ticket(SSL *s)
3072 { 3349 {
3073 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 3350 if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
3074 { 3351 {
3075 unsigned char *p, *senc, *macstart; 3352 unsigned char *p, *senc, *macstart;
3076 int len, slen; 3353 const unsigned char *const_p;
3354 int len, slen_full, slen;
3355 SSL_SESSION *sess;
3077 unsigned int hlen; 3356 unsigned int hlen;
3078 EVP_CIPHER_CTX ctx; 3357 EVP_CIPHER_CTX ctx;
3079 HMAC_CTX hctx; 3358 HMAC_CTX hctx;
@@ -3082,12 +3361,38 @@ int ssl3_send_newsession_ticket(SSL *s)
3082 unsigned char key_name[16]; 3361 unsigned char key_name[16];
3083 3362
3084 /* get session encoding length */ 3363 /* get session encoding length */
3085 slen = i2d_SSL_SESSION(s->session, NULL); 3364 slen_full = i2d_SSL_SESSION(s->session, NULL);
3086 /* Some length values are 16 bits, so forget it if session is 3365 /* Some length values are 16 bits, so forget it if session is
3087 * too long 3366 * too long
3088 */ 3367 */
3089 if (slen > 0xFF00) 3368 if (slen_full > 0xFF00)
3369 return -1;
3370 senc = OPENSSL_malloc(slen_full);
3371 if (!senc)
3372 return -1;
3373 p = senc;
3374 i2d_SSL_SESSION(s->session, &p);
3375
3376 /* create a fresh copy (not shared with other threads) to clean up */
3377 const_p = senc;
3378 sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3379 if (sess == NULL)
3380 {
3381 OPENSSL_free(senc);
3090 return -1; 3382 return -1;
3383 }
3384 sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3385
3386 slen = i2d_SSL_SESSION(sess, NULL);
3387 if (slen > slen_full) /* shouldn't ever happen */
3388 {
3389 OPENSSL_free(senc);
3390 return -1;
3391 }
3392 p = senc;
3393 i2d_SSL_SESSION(sess, &p);
3394 SSL_SESSION_free(sess);
3395
3091 /* Grow buffer if need be: the length calculation is as 3396 /* Grow buffer if need be: the length calculation is as
3092 * follows 1 (size of message name) + 3 (message length 3397 * follows 1 (size of message name) + 3 (message length
3093 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + 3398 * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) +
@@ -3099,11 +3404,6 @@ int ssl3_send_newsession_ticket(SSL *s)
3099 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + 3404 26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
3100 EVP_MAX_MD_SIZE + slen)) 3405 EVP_MAX_MD_SIZE + slen))
3101 return -1; 3406 return -1;
3102 senc = OPENSSL_malloc(slen);
3103 if (!senc)
3104 return -1;
3105 p = senc;
3106 i2d_SSL_SESSION(s->session, &p);
3107 3407
3108 p=(unsigned char *)s->init_buf->data; 3408 p=(unsigned char *)s->init_buf->data;
3109 /* do the header */ 3409 /* do the header */
@@ -3134,7 +3434,13 @@ int ssl3_send_newsession_ticket(SSL *s)
3134 tlsext_tick_md(), NULL); 3434 tlsext_tick_md(), NULL);
3135 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 3435 memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3136 } 3436 }
3137 l2n(s->session->tlsext_tick_lifetime_hint, p); 3437
3438 /* Ticket lifetime hint (advisory only):
3439 * We leave this unspecified for resumed session (for simplicity),
3440 * and guess that tickets for new sessions will live as long
3441 * as their sessions. */
3442 l2n(s->hit ? 0 : s->session->timeout, p);
3443
3138 /* Skip ticket length for now */ 3444 /* Skip ticket length for now */
3139 p += 2; 3445 p += 2;
3140 /* Output key name */ 3446 /* Output key name */
@@ -3209,4 +3515,72 @@ int ssl3_send_cert_status(SSL *s)
3209 /* SSL3_ST_SW_CERT_STATUS_B */ 3515 /* SSL3_ST_SW_CERT_STATUS_B */
3210 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); 3516 return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
3211 } 3517 }
3518
3519# ifndef OPENSSL_NO_NEXTPROTONEG
3520/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
3521 * sets the next_proto member in s if found */
3522int ssl3_get_next_proto(SSL *s)
3523 {
3524 int ok;
3525 int proto_len, padding_len;
3526 long n;
3527 const unsigned char *p;
3528
3529 /* Clients cannot send a NextProtocol message if we didn't see the
3530 * extension in their ClientHello */
3531 if (!s->s3->next_proto_neg_seen)
3532 {
3533 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
3534 return -1;
3535 }
3536
3537 n=s->method->ssl_get_message(s,
3538 SSL3_ST_SR_NEXT_PROTO_A,
3539 SSL3_ST_SR_NEXT_PROTO_B,
3540 SSL3_MT_NEXT_PROTO,
3541 514, /* See the payload format below */
3542 &ok);
3543
3544 if (!ok)
3545 return((int)n);
3546
3547 /* s->state doesn't reflect whether ChangeCipherSpec has been received
3548 * in this handshake, but s->s3->change_cipher_spec does (will be reset
3549 * by ssl3_get_finished). */
3550 if (!s->s3->change_cipher_spec)
3551 {
3552 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
3553 return -1;
3554 }
3555
3556 if (n < 2)
3557 return 0; /* The body must be > 1 bytes long */
3558
3559 p=(unsigned char *)s->init_msg;
3560
3561 /* The payload looks like:
3562 * uint8 proto_len;
3563 * uint8 proto[proto_len];
3564 * uint8 padding_len;
3565 * uint8 padding[padding_len];
3566 */
3567 proto_len = p[0];
3568 if (proto_len + 2 > s->init_num)
3569 return 0;
3570 padding_len = p[proto_len + 1];
3571 if (proto_len + padding_len + 2 != s->init_num)
3572 return 0;
3573
3574 s->next_proto_negotiated = OPENSSL_malloc(proto_len);
3575 if (!s->next_proto_negotiated)
3576 {
3577 SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
3578 return 0;
3579 }
3580 memcpy(s->next_proto_negotiated, p + 1, proto_len);
3581 s->next_proto_negotiated_len = proto_len;
3582
3583 return 1;
3584 }
3585# endif
3212#endif 3586#endif
diff --git a/src/lib/libssl/srtp.h b/src/lib/libssl/srtp.h
new file mode 100644
index 0000000000..c0cf33ef28
--- /dev/null
+++ b/src/lib/libssl/srtp.h
@@ -0,0 +1,145 @@
1/* ssl/tls1.h */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/*
112 DTLS code by Eric Rescorla <ekr@rtfm.com>
113
114 Copyright (C) 2006, Network Resonance, Inc.
115 Copyright (C) 2011, RTFM, Inc.
116*/
117
118#ifndef HEADER_D1_SRTP_H
119#define HEADER_D1_SRTP_H
120
121#ifdef __cplusplus
122extern "C" {
123#endif
124
125
126#define SRTP_AES128_CM_SHA1_80 0x0001
127#define SRTP_AES128_CM_SHA1_32 0x0002
128#define SRTP_AES128_F8_SHA1_80 0x0003
129#define SRTP_AES128_F8_SHA1_32 0x0004
130#define SRTP_NULL_SHA1_80 0x0005
131#define SRTP_NULL_SHA1_32 0x0006
132
133int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
134int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles);
135SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
136
137STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
138SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
139
140#ifdef __cplusplus
141}
142#endif
143
144#endif
145
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 8f922eea72..8b0c2a2dac 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -252,6 +252,7 @@ extern "C" {
252#define SSL_TXT_kEECDH "kEECDH" 252#define SSL_TXT_kEECDH "kEECDH"
253#define SSL_TXT_kPSK "kPSK" 253#define SSL_TXT_kPSK "kPSK"
254#define SSL_TXT_kGOST "kGOST" 254#define SSL_TXT_kGOST "kGOST"
255#define SSL_TXT_kSRP "kSRP"
255 256
256#define SSL_TXT_aRSA "aRSA" 257#define SSL_TXT_aRSA "aRSA"
257#define SSL_TXT_aDSS "aDSS" 258#define SSL_TXT_aDSS "aDSS"
@@ -275,6 +276,7 @@ extern "C" {
275#define SSL_TXT_ECDSA "ECDSA" 276#define SSL_TXT_ECDSA "ECDSA"
276#define SSL_TXT_KRB5 "KRB5" 277#define SSL_TXT_KRB5 "KRB5"
277#define SSL_TXT_PSK "PSK" 278#define SSL_TXT_PSK "PSK"
279#define SSL_TXT_SRP "SRP"
278 280
279#define SSL_TXT_DES "DES" 281#define SSL_TXT_DES "DES"
280#define SSL_TXT_3DES "3DES" 282#define SSL_TXT_3DES "3DES"
@@ -285,6 +287,7 @@ extern "C" {
285#define SSL_TXT_AES128 "AES128" 287#define SSL_TXT_AES128 "AES128"
286#define SSL_TXT_AES256 "AES256" 288#define SSL_TXT_AES256 "AES256"
287#define SSL_TXT_AES "AES" 289#define SSL_TXT_AES "AES"
290#define SSL_TXT_AES_GCM "AESGCM"
288#define SSL_TXT_CAMELLIA128 "CAMELLIA128" 291#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
289#define SSL_TXT_CAMELLIA256 "CAMELLIA256" 292#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
290#define SSL_TXT_CAMELLIA "CAMELLIA" 293#define SSL_TXT_CAMELLIA "CAMELLIA"
@@ -294,10 +297,14 @@ extern "C" {
294#define SSL_TXT_SHA "SHA" /* same as "SHA1" */ 297#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
295#define SSL_TXT_GOST94 "GOST94" 298#define SSL_TXT_GOST94 "GOST94"
296#define SSL_TXT_GOST89MAC "GOST89MAC" 299#define SSL_TXT_GOST89MAC "GOST89MAC"
300#define SSL_TXT_SHA256 "SHA256"
301#define SSL_TXT_SHA384 "SHA384"
297 302
298#define SSL_TXT_SSLV2 "SSLv2" 303#define SSL_TXT_SSLV2 "SSLv2"
299#define SSL_TXT_SSLV3 "SSLv3" 304#define SSL_TXT_SSLV3 "SSLv3"
300#define SSL_TXT_TLSV1 "TLSv1" 305#define SSL_TXT_TLSV1 "TLSv1"
306#define SSL_TXT_TLSV1_1 "TLSv1.1"
307#define SSL_TXT_TLSV1_2 "TLSv1.2"
301 308
302#define SSL_TXT_EXP "EXP" 309#define SSL_TXT_EXP "EXP"
303#define SSL_TXT_EXPORT "EXPORT" 310#define SSL_TXT_EXPORT "EXPORT"
@@ -356,9 +363,29 @@ extern "C" {
356 * in SSL_CTX. */ 363 * in SSL_CTX. */
357typedef struct ssl_st *ssl_crock_st; 364typedef struct ssl_st *ssl_crock_st;
358typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT; 365typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
366typedef struct ssl_method_st SSL_METHOD;
367typedef struct ssl_cipher_st SSL_CIPHER;
368typedef struct ssl_session_st SSL_SESSION;
369
370DECLARE_STACK_OF(SSL_CIPHER)
371
372/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
373typedef struct srtp_protection_profile_st
374 {
375 const char *name;
376 unsigned long id;
377 } SRTP_PROTECTION_PROFILE;
378
379DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
380
381typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
382typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
383
384
385#ifndef OPENSSL_NO_SSL_INTERN
359 386
360/* used to hold info on the particular ciphers used */ 387/* used to hold info on the particular ciphers used */
361typedef struct ssl_cipher_st 388struct ssl_cipher_st
362 { 389 {
363 int valid; 390 int valid;
364 const char *name; /* text name */ 391 const char *name; /* text name */
@@ -375,15 +402,11 @@ typedef struct ssl_cipher_st
375 unsigned long algorithm2; /* Extra flags */ 402 unsigned long algorithm2; /* Extra flags */
376 int strength_bits; /* Number of bits really used */ 403 int strength_bits; /* Number of bits really used */
377 int alg_bits; /* Number of bits for algorithm */ 404 int alg_bits; /* Number of bits for algorithm */
378 } SSL_CIPHER; 405 };
379
380DECLARE_STACK_OF(SSL_CIPHER)
381 406
382typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
383typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
384 407
385/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ 408/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
386typedef struct ssl_method_st 409struct ssl_method_st
387 { 410 {
388 int version; 411 int version;
389 int (*ssl_new)(SSL *s); 412 int (*ssl_new)(SSL *s);
@@ -416,7 +439,7 @@ typedef struct ssl_method_st
416 int (*ssl_version)(void); 439 int (*ssl_version)(void);
417 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void)); 440 long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
418 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void)); 441 long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
419 } SSL_METHOD; 442 };
420 443
421/* Lets make this into an ASN.1 type structure as follows 444/* Lets make this into an ASN.1 type structure as follows
422 * SSL_SESSION_ID ::= SEQUENCE { 445 * SSL_SESSION_ID ::= SEQUENCE {
@@ -433,14 +456,17 @@ typedef struct ssl_method_st
433 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context 456 * Session_ID_context [ 4 ] EXPLICIT OCTET STRING, -- the Session ID context
434 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer' 457 * Verify_result [ 5 ] EXPLICIT INTEGER, -- X509_V_... code for `Peer'
435 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension 458 * HostName [ 6 ] EXPLICIT OCTET STRING, -- optional HostName from servername TLS extension
436 * ECPointFormatList [ 7 ] OCTET STRING, -- optional EC point format list from TLS extension 459 * PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
437 * PSK_identity_hint [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity hint 460 * PSK_identity [ 8 ] EXPLICIT OCTET STRING, -- optional PSK identity
438 * PSK_identity [ 9 ] EXPLICIT OCTET STRING -- optional PSK identity 461 * Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
462 * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
463 * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
464 * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
439 * } 465 * }
440 * Look in ssl/ssl_asn1.c for more details 466 * Look in ssl/ssl_asn1.c for more details
441 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). 467 * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
442 */ 468 */
443typedef struct ssl_session_st 469struct ssl_session_st
444 { 470 {
445 int ssl_version; /* what ssl version session info is 471 int ssl_version; /* what ssl version session info is
446 * being kept in here? */ 472 * being kept in here? */
@@ -512,8 +538,12 @@ typedef struct ssl_session_st
512 size_t tlsext_ticklen; /* Session ticket length */ 538 size_t tlsext_ticklen; /* Session ticket length */
513 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 539 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
514#endif 540#endif
515 } SSL_SESSION; 541#ifndef OPENSSL_NO_SRP
542 char *srp_username;
543#endif
544 };
516 545
546#endif
517 547
518#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L 548#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
519#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L 549#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
@@ -536,7 +566,7 @@ typedef struct ssl_session_st
536 566
537/* SSL_OP_ALL: various bug workarounds that should be rather harmless. 567/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
538 * This used to be 0x000FFFFFL before 0.9.7. */ 568 * This used to be 0x000FFFFFL before 0.9.7. */
539#define SSL_OP_ALL 0x80000FFFL 569#define SSL_OP_ALL 0x80000BFFL
540 570
541/* DTLS options */ 571/* DTLS options */
542#define SSL_OP_NO_QUERY_MTU 0x00001000L 572#define SSL_OP_NO_QUERY_MTU 0x00001000L
@@ -572,11 +602,17 @@ typedef struct ssl_session_st
572#define SSL_OP_NO_SSLv2 0x01000000L 602#define SSL_OP_NO_SSLv2 0x01000000L
573#define SSL_OP_NO_SSLv3 0x02000000L 603#define SSL_OP_NO_SSLv3 0x02000000L
574#define SSL_OP_NO_TLSv1 0x04000000L 604#define SSL_OP_NO_TLSv1 0x04000000L
605#define SSL_OP_NO_TLSv1_2 0x08000000L
606#define SSL_OP_NO_TLSv1_1 0x10000000L
575 607
608/* These next two were never actually used for anything since SSLeay
609 * zap so we have some more flags.
610 */
576/* The next flag deliberately changes the ciphertest, this is a check 611/* The next flag deliberately changes the ciphertest, this is a check
577 * for the PKCS#1 attack */ 612 * for the PKCS#1 attack */
578#define SSL_OP_PKCS1_CHECK_1 0x08000000L 613#define SSL_OP_PKCS1_CHECK_1 0x0
579#define SSL_OP_PKCS1_CHECK_2 0x10000000L 614#define SSL_OP_PKCS1_CHECK_2 0x0
615
580#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L 616#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
581#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L 617#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
582/* Make server add server-hello extension from early version of 618/* Make server add server-hello extension from early version of
@@ -637,12 +673,53 @@ typedef struct ssl_session_st
637#define SSL_get_secure_renegotiation_support(ssl) \ 673#define SSL_get_secure_renegotiation_support(ssl) \
638 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL) 674 SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
639 675
676#ifndef OPENSSL_NO_HEARTBEATS
677#define SSL_heartbeat(ssl) \
678 SSL_ctrl((ssl),SSL_CTRL_TLS_EXT_SEND_HEARTBEAT,0,NULL)
679#endif
680
640void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); 681void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
641void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); 682void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
642#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 683#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
643#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) 684#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
644 685
686#ifndef OPENSSL_NO_SRP
645 687
688#ifndef OPENSSL_NO_SSL_INTERN
689
690typedef struct srp_ctx_st
691 {
692 /* param for all the callbacks */
693 void *SRP_cb_arg;
694 /* set client Hello login callback */
695 int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
696 /* set SRP N/g param callback for verification */
697 int (*SRP_verify_param_callback)(SSL *, void *);
698 /* set SRP client passwd callback */
699 char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
700
701 char *login;
702 BIGNUM *N,*g,*s,*B,*A;
703 BIGNUM *a,*b,*v;
704 char *info;
705 int strength;
706
707 unsigned long srp_Mask;
708 } SRP_CTX;
709
710#endif
711
712/* see tls_srp.c */
713int SSL_SRP_CTX_init(SSL *s);
714int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
715int SSL_SRP_CTX_free(SSL *ctx);
716int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
717int SSL_srp_server_param_with_username(SSL *s, int *ad);
718int SRP_generate_server_master_secret(SSL *s,unsigned char *master_key);
719int SRP_Calc_A_param(SSL *s);
720int SRP_generate_client_master_secret(SSL *s,unsigned char *master_key);
721
722#endif
646 723
647#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) 724#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
648#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */ 725#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
@@ -668,7 +745,11 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int con
668typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, 745typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
669 unsigned int *id_len); 746 unsigned int *id_len);
670 747
671typedef struct ssl_comp_st 748typedef struct ssl_comp_st SSL_COMP;
749
750#ifndef OPENSSL_NO_SSL_INTERN
751
752struct ssl_comp_st
672 { 753 {
673 int id; 754 int id;
674 const char *name; 755 const char *name;
@@ -677,7 +758,7 @@ typedef struct ssl_comp_st
677#else 758#else
678 char *method; 759 char *method;
679#endif 760#endif
680 } SSL_COMP; 761 };
681 762
682DECLARE_STACK_OF(SSL_COMP) 763DECLARE_STACK_OF(SSL_COMP)
683DECLARE_LHASH_OF(SSL_SESSION); 764DECLARE_LHASH_OF(SSL_SESSION);
@@ -846,7 +927,6 @@ struct ssl_ctx_st
846 /* Callback for status request */ 927 /* Callback for status request */
847 int (*tlsext_status_cb)(SSL *ssl, void *arg); 928 int (*tlsext_status_cb)(SSL *ssl, void *arg);
848 void *tlsext_status_arg; 929 void *tlsext_status_arg;
849
850 /* draft-rescorla-tls-opaque-prf-input-00.txt information */ 930 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
851 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); 931 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
852 void *tlsext_opaque_prf_input_callback_arg; 932 void *tlsext_opaque_prf_input_callback_arg;
@@ -867,8 +947,36 @@ struct ssl_ctx_st
867 struct ssl3_buf_freelist_st *wbuf_freelist; 947 struct ssl3_buf_freelist_st *wbuf_freelist;
868 struct ssl3_buf_freelist_st *rbuf_freelist; 948 struct ssl3_buf_freelist_st *rbuf_freelist;
869#endif 949#endif
950#ifndef OPENSSL_NO_SRP
951 SRP_CTX srp_ctx; /* ctx for SRP authentication */
952#endif
953
954#ifndef OPENSSL_NO_TLSEXT
955# ifndef OPENSSL_NO_NEXTPROTONEG
956 /* Next protocol negotiation information */
957 /* (for experimental NPN extension). */
958
959 /* For a server, this contains a callback function by which the set of
960 * advertised protocols can be provided. */
961 int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
962 unsigned int *len, void *arg);
963 void *next_protos_advertised_cb_arg;
964 /* For a client, this contains a callback function that selects the
965 * next protocol from the list provided by the server. */
966 int (*next_proto_select_cb)(SSL *s, unsigned char **out,
967 unsigned char *outlen,
968 const unsigned char *in,
969 unsigned int inlen,
970 void *arg);
971 void *next_proto_select_cb_arg;
972# endif
973 /* SRTP profiles we are willing to do from RFC 5764 */
974 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
975#endif
870 }; 976 };
871 977
978#endif
979
872#define SSL_SESS_CACHE_OFF 0x0000 980#define SSL_SESS_CACHE_OFF 0x0000
873#define SSL_SESS_CACHE_CLIENT 0x0001 981#define SSL_SESS_CACHE_CLIENT 0x0001
874#define SSL_SESS_CACHE_SERVER 0x0002 982#define SSL_SESS_CACHE_SERVER 0x0002
@@ -921,6 +1029,32 @@ int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
921#endif 1029#endif
922void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); 1030void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
923void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); 1031void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
1032#ifndef OPENSSL_NO_NEXTPROTONEG
1033void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
1034 int (*cb) (SSL *ssl,
1035 const unsigned char **out,
1036 unsigned int *outlen,
1037 void *arg),
1038 void *arg);
1039void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
1040 int (*cb) (SSL *ssl,
1041 unsigned char **out,
1042 unsigned char *outlen,
1043 const unsigned char *in,
1044 unsigned int inlen,
1045 void *arg),
1046 void *arg);
1047
1048int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
1049 const unsigned char *in, unsigned int inlen,
1050 const unsigned char *client, unsigned int client_len);
1051void SSL_get0_next_proto_negotiated(const SSL *s,
1052 const unsigned char **data, unsigned *len);
1053
1054#define OPENSSL_NPN_UNSUPPORTED 0
1055#define OPENSSL_NPN_NEGOTIATED 1
1056#define OPENSSL_NPN_NO_OVERLAP 2
1057#endif
924 1058
925#ifndef OPENSSL_NO_PSK 1059#ifndef OPENSSL_NO_PSK
926/* the maximum length of the buffer given to callbacks containing the 1060/* the maximum length of the buffer given to callbacks containing the
@@ -961,6 +1095,8 @@ const char *SSL_get_psk_identity(const SSL *s);
961#define SSL_MAC_FLAG_READ_MAC_STREAM 1 1095#define SSL_MAC_FLAG_READ_MAC_STREAM 1
962#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 1096#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
963 1097
1098#ifndef OPENSSL_NO_SSL_INTERN
1099
964struct ssl_st 1100struct ssl_st
965 { 1101 {
966 /* protocol version 1102 /* protocol version
@@ -1005,9 +1141,7 @@ struct ssl_st
1005 1141
1006 int server; /* are we the server side? - mostly used by SSL_clear*/ 1142 int server; /* are we the server side? - mostly used by SSL_clear*/
1007 1143
1008 int new_session;/* 1 if we are to use a new session. 1144 int new_session;/* Generate a new session or reuse an old one.
1009 * 2 if we are a server and are inside a handshake
1010 * (i.e. not just sending a HelloRequest)
1011 * NB: For servers, the 'new' session may actually be a previously 1145 * NB: For servers, the 'new' session may actually be a previously
1012 * cached session or even the previous session unless 1146 * cached session or even the previous session unless
1013 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 1147 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
@@ -1177,12 +1311,46 @@ struct ssl_st
1177 void *tls_session_secret_cb_arg; 1311 void *tls_session_secret_cb_arg;
1178 1312
1179 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ 1313 SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
1314
1315#ifndef OPENSSL_NO_NEXTPROTONEG
1316 /* Next protocol negotiation. For the client, this is the protocol that
1317 * we sent in NextProtocol and is set when handling ServerHello
1318 * extensions.
1319 *
1320 * For a server, this is the client's selected_protocol from
1321 * NextProtocol and is set when handling the NextProtocol message,
1322 * before the Finished message. */
1323 unsigned char *next_proto_negotiated;
1324 unsigned char next_proto_negotiated_len;
1325#endif
1326
1180#define session_ctx initial_ctx 1327#define session_ctx initial_ctx
1328
1329 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
1330 SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
1331
1332 unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated?
1333 0: disabled
1334 1: enabled
1335 2: enabled, but not allowed to send Requests
1336 */
1337 unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
1338 unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
1181#else 1339#else
1182#define session_ctx ctx 1340#define session_ctx ctx
1183#endif /* OPENSSL_NO_TLSEXT */ 1341#endif /* OPENSSL_NO_TLSEXT */
1342
1343 int renegotiate;/* 1 if we are renegotiating.
1344 * 2 if we are a server and are inside a handshake
1345 * (i.e. not just sending a HelloRequest) */
1346
1347#ifndef OPENSSL_NO_SRP
1348 SRP_CTX srp_ctx; /* ctx for SRP authentication */
1349#endif
1184 }; 1350 };
1185 1351
1352#endif
1353
1186#ifdef __cplusplus 1354#ifdef __cplusplus
1187} 1355}
1188#endif 1356#endif
@@ -1192,6 +1360,7 @@ struct ssl_st
1192#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */ 1360#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
1193#include <openssl/dtls1.h> /* Datagram TLS */ 1361#include <openssl/dtls1.h> /* Datagram TLS */
1194#include <openssl/ssl23.h> 1362#include <openssl/ssl23.h>
1363#include <openssl/srtp.h> /* Support for the use_srtp extension */
1195 1364
1196#ifdef __cplusplus 1365#ifdef __cplusplus
1197extern "C" { 1366extern "C" {
@@ -1408,6 +1577,20 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1408#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71 1577#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP 71
1409 1578
1410#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 1579#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
1580
1581#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
1582#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
1583#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
1584
1585#define SSL_CTRL_SET_SRP_ARG 78
1586#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
1587#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
1588#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
1589#ifndef OPENSSL_NO_HEARTBEATS
1590#define SSL_CTRL_TLS_EXT_SEND_HEARTBEAT 85
1591#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86
1592#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87
1593#endif
1411#endif 1594#endif
1412 1595
1413#define DTLS_CTRL_GET_TIMEOUT 73 1596#define DTLS_CTRL_GET_TIMEOUT 73
@@ -1418,6 +1601,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1418#define SSL_CTRL_CLEAR_OPTIONS 77 1601#define SSL_CTRL_CLEAR_OPTIONS 77
1419#define SSL_CTRL_CLEAR_MODE 78 1602#define SSL_CTRL_CLEAR_MODE 78
1420 1603
1604#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1605#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1606
1421#define DTLSv1_get_timeout(ssl, arg) \ 1607#define DTLSv1_get_timeout(ssl, arg) \
1422 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) 1608 SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
1423#define DTLSv1_handle_timeout(ssl) \ 1609#define DTLSv1_handle_timeout(ssl) \
@@ -1454,6 +1640,10 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
1454 1640
1455#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ 1641#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
1456 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) 1642 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
1643#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
1644 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
1645#define SSL_CTX_clear_extra_chain_certs(ctx) \
1646 SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
1457 1647
1458#ifndef OPENSSL_NO_BIO 1648#ifndef OPENSSL_NO_BIO
1459BIO_METHOD *BIO_f_ssl(void); 1649BIO_METHOD *BIO_f_ssl(void);
@@ -1481,6 +1671,7 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
1481int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits); 1671int SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
1482char * SSL_CIPHER_get_version(const SSL_CIPHER *c); 1672char * SSL_CIPHER_get_version(const SSL_CIPHER *c);
1483const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); 1673const char * SSL_CIPHER_get_name(const SSL_CIPHER *c);
1674unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
1484 1675
1485int SSL_get_fd(const SSL *s); 1676int SSL_get_fd(const SSL *s);
1486int SSL_get_rfd(const SSL *s); 1677int SSL_get_rfd(const SSL *s);
@@ -1546,10 +1737,14 @@ long SSL_SESSION_set_time(SSL_SESSION *s, long t);
1546long SSL_SESSION_get_timeout(const SSL_SESSION *s); 1737long SSL_SESSION_get_timeout(const SSL_SESSION *s);
1547long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); 1738long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
1548void SSL_copy_session_id(SSL *to,const SSL *from); 1739void SSL_copy_session_id(SSL *to,const SSL *from);
1740X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
1741int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
1742 unsigned int sid_ctx_len);
1549 1743
1550SSL_SESSION *SSL_SESSION_new(void); 1744SSL_SESSION *SSL_SESSION_new(void);
1551const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, 1745const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
1552 unsigned int *len); 1746 unsigned int *len);
1747unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
1553#ifndef OPENSSL_NO_FP_API 1748#ifndef OPENSSL_NO_FP_API
1554int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses); 1749int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
1555#endif 1750#endif
@@ -1612,6 +1807,30 @@ int SSL_set_trust(SSL *s, int trust);
1612int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); 1807int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
1613int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm); 1808int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
1614 1809
1810#ifndef OPENSSL_NO_SRP
1811int SSL_CTX_set_srp_username(SSL_CTX *ctx,char *name);
1812int SSL_CTX_set_srp_password(SSL_CTX *ctx,char *password);
1813int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
1814int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
1815 char *(*cb)(SSL *,void *));
1816int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
1817 int (*cb)(SSL *,void *));
1818int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
1819 int (*cb)(SSL *,int *,void *));
1820int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
1821
1822int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
1823 BIGNUM *sa, BIGNUM *v, char *info);
1824int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
1825 const char *grp);
1826
1827BIGNUM *SSL_get_srp_g(SSL *s);
1828BIGNUM *SSL_get_srp_N(SSL *s);
1829
1830char *SSL_get_srp_username(SSL *s);
1831char *SSL_get_srp_userinfo(SSL *s);
1832#endif
1833
1615void SSL_free(SSL *ssl); 1834void SSL_free(SSL *ssl);
1616int SSL_accept(SSL *ssl); 1835int SSL_accept(SSL *ssl);
1617int SSL_connect(SSL *ssl); 1836int SSL_connect(SSL *ssl);
@@ -1647,6 +1866,15 @@ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
1647const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ 1866const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */
1648const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */ 1867const SSL_METHOD *TLSv1_client_method(void); /* TLSv1.0 */
1649 1868
1869const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
1870const SSL_METHOD *TLSv1_1_server_method(void); /* TLSv1.1 */
1871const SSL_METHOD *TLSv1_1_client_method(void); /* TLSv1.1 */
1872
1873const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
1874const SSL_METHOD *TLSv1_2_server_method(void); /* TLSv1.2 */
1875const SSL_METHOD *TLSv1_2_client_method(void); /* TLSv1.2 */
1876
1877
1650const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ 1878const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
1651const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ 1879const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
1652const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ 1880const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
@@ -1655,6 +1883,7 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
1655 1883
1656int SSL_do_handshake(SSL *s); 1884int SSL_do_handshake(SSL *s);
1657int SSL_renegotiate(SSL *s); 1885int SSL_renegotiate(SSL *s);
1886int SSL_renegotiate_abbreviated(SSL *s);
1658int SSL_renegotiate_pending(SSL *s); 1887int SSL_renegotiate_pending(SSL *s);
1659int SSL_shutdown(SSL *s); 1888int SSL_shutdown(SSL *s);
1660 1889
@@ -1706,6 +1935,7 @@ void SSL_set_info_callback(SSL *ssl,
1706 void (*cb)(const SSL *ssl,int type,int val)); 1935 void (*cb)(const SSL *ssl,int type,int val));
1707void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val); 1936void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
1708int SSL_state(const SSL *ssl); 1937int SSL_state(const SSL *ssl);
1938void SSL_set_state(SSL *ssl, int state);
1709 1939
1710void SSL_set_verify_result(SSL *ssl,long v); 1940void SSL_set_verify_result(SSL *ssl,long v);
1711long SSL_get_verify_result(const SSL *ssl); 1941long SSL_get_verify_result(const SSL *ssl);
@@ -1806,6 +2036,9 @@ int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
1806/* Pre-shared secret session resumption functions */ 2036/* Pre-shared secret session resumption functions */
1807int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg); 2037int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
1808 2038
2039void SSL_set_debug(SSL *s, int debug);
2040int SSL_cache_hit(SSL *s);
2041
1809/* BEGIN ERROR CODES */ 2042/* BEGIN ERROR CODES */
1810/* The following lines are auto generated by the script mkerr.pl. Any changes 2043/* The following lines are auto generated by the script mkerr.pl. Any changes
1811 * made after this point may be overwritten when the script is next run. 2044 * made after this point may be overwritten when the script is next run.
@@ -1825,6 +2058,7 @@ void ERR_load_SSL_strings(void);
1825#define SSL_F_DTLS1_ACCEPT 246 2058#define SSL_F_DTLS1_ACCEPT 246
1826#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295 2059#define SSL_F_DTLS1_ADD_CERT_TO_BUF 295
1827#define SSL_F_DTLS1_BUFFER_RECORD 247 2060#define SSL_F_DTLS1_BUFFER_RECORD 247
2061#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316
1828#define SSL_F_DTLS1_CLIENT_HELLO 248 2062#define SSL_F_DTLS1_CLIENT_HELLO 248
1829#define SSL_F_DTLS1_CONNECT 249 2063#define SSL_F_DTLS1_CONNECT 249
1830#define SSL_F_DTLS1_ENC 250 2064#define SSL_F_DTLS1_ENC 250
@@ -1833,6 +2067,7 @@ void ERR_load_SSL_strings(void);
1833#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253 2067#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
1834#define SSL_F_DTLS1_GET_RECORD 254 2068#define SSL_F_DTLS1_GET_RECORD 254
1835#define SSL_F_DTLS1_HANDLE_TIMEOUT 297 2069#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
2070#define SSL_F_DTLS1_HEARTBEAT 305
1836#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255 2071#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
1837#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288 2072#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
1838#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256 2073#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
@@ -1901,6 +2136,7 @@ void ERR_load_SSL_strings(void);
1901#define SSL_F_SSL3_GET_KEY_EXCHANGE 141 2136#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
1902#define SSL_F_SSL3_GET_MESSAGE 142 2137#define SSL_F_SSL3_GET_MESSAGE 142
1903#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283 2138#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
2139#define SSL_F_SSL3_GET_NEXT_PROTO 306
1904#define SSL_F_SSL3_GET_RECORD 143 2140#define SSL_F_SSL3_GET_RECORD 143
1905#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144 2141#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
1906#define SSL_F_SSL3_GET_SERVER_DONE 145 2142#define SSL_F_SSL3_GET_SERVER_DONE 145
@@ -1925,10 +2161,12 @@ void ERR_load_SSL_strings(void);
1925#define SSL_F_SSL3_WRITE_PENDING 159 2161#define SSL_F_SSL3_WRITE_PENDING 159
1926#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298 2162#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT 298
1927#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277 2163#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT 277
2164#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT 307
1928#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215 2165#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK 215
1929#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216 2166#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK 216
1930#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299 2167#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT 299
1931#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278 2168#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT 278
2169#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT 308
1932#define SSL_F_SSL_BAD_METHOD 160 2170#define SSL_F_SSL_BAD_METHOD 160
1933#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 2171#define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161
1934#define SSL_F_SSL_CERT_DUP 221 2172#define SSL_F_SSL_CERT_DUP 221
@@ -1945,6 +2183,7 @@ void ERR_load_SSL_strings(void);
1945#define SSL_F_SSL_CREATE_CIPHER_LIST 166 2183#define SSL_F_SSL_CREATE_CIPHER_LIST 166
1946#define SSL_F_SSL_CTRL 232 2184#define SSL_F_SSL_CTRL 232
1947#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 2185#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
2186#define SSL_F_SSL_CTX_MAKE_PROFILES 309
1948#define SSL_F_SSL_CTX_NEW 169 2187#define SSL_F_SSL_CTX_NEW 169
1949#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269 2188#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
1950#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290 2189#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 290
@@ -1973,8 +2212,10 @@ void ERR_load_SSL_strings(void);
1973#define SSL_F_SSL_NEW 186 2212#define SSL_F_SSL_NEW 186
1974#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300 2213#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT 300
1975#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302 2214#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT 302
2215#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT 310
1976#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 2216#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301
1977#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 2217#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303
2218#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT 311
1978#define SSL_F_SSL_PEEK 270 2219#define SSL_F_SSL_PEEK 270
1979#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 2220#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281
1980#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 2221#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282
@@ -1983,6 +2224,7 @@ void ERR_load_SSL_strings(void);
1983#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 2224#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
1984#define SSL_F_SSL_SESSION_NEW 189 2225#define SSL_F_SSL_SESSION_NEW 189
1985#define SSL_F_SSL_SESSION_PRINT_FP 190 2226#define SSL_F_SSL_SESSION_PRINT_FP 190
2227#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
1986#define SSL_F_SSL_SESS_CERT_NEW 225 2228#define SSL_F_SSL_SESS_CERT_NEW 225
1987#define SSL_F_SSL_SET_CERT 191 2229#define SSL_F_SSL_SET_CERT 191
1988#define SSL_F_SSL_SET_CIPHER_LIST 271 2230#define SSL_F_SSL_SET_CIPHER_LIST 271
@@ -1996,6 +2238,7 @@ void ERR_load_SSL_strings(void);
1996#define SSL_F_SSL_SET_TRUST 228 2238#define SSL_F_SSL_SET_TRUST 228
1997#define SSL_F_SSL_SET_WFD 196 2239#define SSL_F_SSL_SET_WFD 196
1998#define SSL_F_SSL_SHUTDOWN 224 2240#define SSL_F_SSL_SHUTDOWN 224
2241#define SSL_F_SSL_SRP_CTX_INIT 313
1999#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243 2242#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
2000#define SSL_F_SSL_UNDEFINED_FUNCTION 197 2243#define SSL_F_SSL_UNDEFINED_FUNCTION 197
2001#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 2244#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
@@ -2015,6 +2258,8 @@ void ERR_load_SSL_strings(void);
2015#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 2258#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
2016#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 2259#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
2017#define SSL_F_TLS1_ENC 210 2260#define SSL_F_TLS1_ENC 210
2261#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
2262#define SSL_F_TLS1_HEARTBEAT 315
2018#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275 2263#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
2019#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276 2264#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
2020#define SSL_F_TLS1_PRF 284 2265#define SSL_F_TLS1_PRF 284
@@ -2054,6 +2299,13 @@ void ERR_load_SSL_strings(void);
2054#define SSL_R_BAD_RSA_MODULUS_LENGTH 121 2299#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
2055#define SSL_R_BAD_RSA_SIGNATURE 122 2300#define SSL_R_BAD_RSA_SIGNATURE 122
2056#define SSL_R_BAD_SIGNATURE 123 2301#define SSL_R_BAD_SIGNATURE 123
2302#define SSL_R_BAD_SRP_A_LENGTH 347
2303#define SSL_R_BAD_SRP_B_LENGTH 348
2304#define SSL_R_BAD_SRP_G_LENGTH 349
2305#define SSL_R_BAD_SRP_N_LENGTH 350
2306#define SSL_R_BAD_SRP_S_LENGTH 351
2307#define SSL_R_BAD_SRTP_MKI_VALUE 352
2308#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
2057#define SSL_R_BAD_SSL_FILETYPE 124 2309#define SSL_R_BAD_SSL_FILETYPE 124
2058#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125 2310#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
2059#define SSL_R_BAD_STATE 126 2311#define SSL_R_BAD_STATE 126
@@ -2092,12 +2344,15 @@ void ERR_load_SSL_strings(void);
2092#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322 2344#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
2093#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323 2345#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
2094#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310 2346#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
2347#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
2095#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 2348#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
2096#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 2349#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
2097#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 2350#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
2098#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 2351#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
2099#define SSL_R_EXTRA_DATA_IN_MESSAGE 153 2352#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
2100#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 2353#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
2354#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
2355#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
2101#define SSL_R_HTTPS_PROXY_REQUEST 155 2356#define SSL_R_HTTPS_PROXY_REQUEST 155
2102#define SSL_R_HTTP_REQUEST 156 2357#define SSL_R_HTTP_REQUEST 156
2103#define SSL_R_ILLEGAL_PADDING 283 2358#define SSL_R_ILLEGAL_PADDING 283
@@ -2106,6 +2361,7 @@ void ERR_load_SSL_strings(void);
2106#define SSL_R_INVALID_COMMAND 280 2361#define SSL_R_INVALID_COMMAND 280
2107#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 2362#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
2108#define SSL_R_INVALID_PURPOSE 278 2363#define SSL_R_INVALID_PURPOSE 278
2364#define SSL_R_INVALID_SRP_USERNAME 357
2109#define SSL_R_INVALID_STATUS_RESPONSE 328 2365#define SSL_R_INVALID_STATUS_RESPONSE 328
2110#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 2366#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
2111#define SSL_R_INVALID_TRUST 279 2367#define SSL_R_INVALID_TRUST 279
@@ -2135,6 +2391,7 @@ void ERR_load_SSL_strings(void);
2135#define SSL_R_MISSING_RSA_CERTIFICATE 168 2391#define SSL_R_MISSING_RSA_CERTIFICATE 168
2136#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 2392#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
2137#define SSL_R_MISSING_RSA_SIGNING_CERT 170 2393#define SSL_R_MISSING_RSA_SIGNING_CERT 170
2394#define SSL_R_MISSING_SRP_PARAM 358
2138#define SSL_R_MISSING_TMP_DH_KEY 171 2395#define SSL_R_MISSING_TMP_DH_KEY 171
2139#define SSL_R_MISSING_TMP_ECDH_KEY 311 2396#define SSL_R_MISSING_TMP_ECDH_KEY 311
2140#define SSL_R_MISSING_TMP_RSA_KEY 172 2397#define SSL_R_MISSING_TMP_RSA_KEY 172
@@ -2164,6 +2421,7 @@ void ERR_load_SSL_strings(void);
2164#define SSL_R_NO_RENEGOTIATION 339 2421#define SSL_R_NO_RENEGOTIATION 339
2165#define SSL_R_NO_REQUIRED_DIGEST 324 2422#define SSL_R_NO_REQUIRED_DIGEST 324
2166#define SSL_R_NO_SHARED_CIPHER 193 2423#define SSL_R_NO_SHARED_CIPHER 193
2424#define SSL_R_NO_SRTP_PROFILES 359
2167#define SSL_R_NO_VERIFY_CALLBACK 194 2425#define SSL_R_NO_VERIFY_CALLBACK 194
2168#define SSL_R_NULL_SSL_CTX 195 2426#define SSL_R_NULL_SSL_CTX 195
2169#define SSL_R_NULL_SSL_METHOD_PASSED 196 2427#define SSL_R_NULL_SSL_METHOD_PASSED 196
@@ -2207,7 +2465,12 @@ void ERR_load_SSL_strings(void);
2207#define SSL_R_SERVERHELLO_TLSEXT 275 2465#define SSL_R_SERVERHELLO_TLSEXT 275
2208#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 2466#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
2209#define SSL_R_SHORT_READ 219 2467#define SSL_R_SHORT_READ 219
2468#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
2210#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 2469#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
2470#define SSL_R_SRP_A_CALC 361
2471#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362
2472#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363
2473#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364
2211#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 2474#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
2212#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299 2475#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
2213#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321 2476#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
@@ -2252,6 +2515,9 @@ void ERR_load_SSL_strings(void);
2252#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 2515#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
2253#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 2516#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
2254#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 2517#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
2518#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
2519#define SSL_R_TLS_HEARTBEAT_PENDING 366
2520#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
2255#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 2521#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
2256#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 2522#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
2257#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 2523#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
@@ -2273,6 +2539,7 @@ void ERR_load_SSL_strings(void);
2273#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 2539#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
2274#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 2540#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
2275#define SSL_R_UNKNOWN_CIPHER_TYPE 249 2541#define SSL_R_UNKNOWN_CIPHER_TYPE 249
2542#define SSL_R_UNKNOWN_DIGEST 368
2276#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 2543#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
2277#define SSL_R_UNKNOWN_PKEY_TYPE 251 2544#define SSL_R_UNKNOWN_PKEY_TYPE 251
2278#define SSL_R_UNKNOWN_PROTOCOL 252 2545#define SSL_R_UNKNOWN_PROTOCOL 252
@@ -2287,12 +2554,14 @@ void ERR_load_SSL_strings(void);
2287#define SSL_R_UNSUPPORTED_PROTOCOL 258 2554#define SSL_R_UNSUPPORTED_PROTOCOL 258
2288#define SSL_R_UNSUPPORTED_SSL_VERSION 259 2555#define SSL_R_UNSUPPORTED_SSL_VERSION 259
2289#define SSL_R_UNSUPPORTED_STATUS_TYPE 329 2556#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
2557#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
2290#define SSL_R_WRITE_BIO_NOT_SET 260 2558#define SSL_R_WRITE_BIO_NOT_SET 260
2291#define SSL_R_WRONG_CIPHER_RETURNED 261 2559#define SSL_R_WRONG_CIPHER_RETURNED 261
2292#define SSL_R_WRONG_MESSAGE_TYPE 262 2560#define SSL_R_WRONG_MESSAGE_TYPE 262
2293#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 2561#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
2294#define SSL_R_WRONG_SIGNATURE_LENGTH 264 2562#define SSL_R_WRONG_SIGNATURE_LENGTH 264
2295#define SSL_R_WRONG_SIGNATURE_SIZE 265 2563#define SSL_R_WRONG_SIGNATURE_SIZE 265
2564#define SSL_R_WRONG_SIGNATURE_TYPE 370
2296#define SSL_R_WRONG_SSL_VERSION 266 2565#define SSL_R_WRONG_SSL_VERSION 266
2297#define SSL_R_WRONG_VERSION_NUMBER 267 2566#define SSL_R_WRONG_VERSION_NUMBER 267
2298#define SSL_R_X509_LIB 268 2567#define SSL_R_X509_LIB 268
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
index 99a52ea0dd..eb25dcb0bf 100644
--- a/src/lib/libssl/ssl2.h
+++ b/src/lib/libssl/ssl2.h
@@ -155,6 +155,8 @@ extern "C" {
155#define CERT char 155#define CERT char
156#endif 156#endif
157 157
158#ifndef OPENSSL_NO_SSL_INTERN
159
158typedef struct ssl2_state_st 160typedef struct ssl2_state_st
159 { 161 {
160 int three_byte_header; 162 int three_byte_header;
@@ -219,6 +221,8 @@ typedef struct ssl2_state_st
219 } tmp; 221 } tmp;
220 } SSL2_STATE; 222 } SSL2_STATE;
221 223
224#endif
225
222/* SSLv2 */ 226/* SSLv2 */
223/* client */ 227/* client */
224#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT) 228#define SSL2_ST_SEND_CLIENT_HELLO_A (0x10|SSL_ST_CONNECT)
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 9c2c41287a..112e627de0 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -322,6 +322,7 @@ extern "C" {
322#define SSL3_RT_ALERT 21 322#define SSL3_RT_ALERT 21
323#define SSL3_RT_HANDSHAKE 22 323#define SSL3_RT_HANDSHAKE 22
324#define SSL3_RT_APPLICATION_DATA 23 324#define SSL3_RT_APPLICATION_DATA 23
325#define TLS1_RT_HEARTBEAT 24
325 326
326#define SSL3_AL_WARNING 1 327#define SSL3_AL_WARNING 1
327#define SSL3_AL_FATAL 2 328#define SSL3_AL_FATAL 2
@@ -339,6 +340,11 @@ extern "C" {
339#define SSL3_AD_CERTIFICATE_UNKNOWN 46 340#define SSL3_AD_CERTIFICATE_UNKNOWN 46
340#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */ 341#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
341 342
343#define TLS1_HB_REQUEST 1
344#define TLS1_HB_RESPONSE 2
345
346#ifndef OPENSSL_NO_SSL_INTERN
347
342typedef struct ssl3_record_st 348typedef struct ssl3_record_st
343 { 349 {
344/*r */ int type; /* type of record */ 350/*r */ int type; /* type of record */
@@ -360,6 +366,8 @@ typedef struct ssl3_buffer_st
360 int left; /* how many bytes left */ 366 int left; /* how many bytes left */
361 } SSL3_BUFFER; 367 } SSL3_BUFFER;
362 368
369#endif
370
363#define SSL3_CT_RSA_SIGN 1 371#define SSL3_CT_RSA_SIGN 1
364#define SSL3_CT_DSS_SIGN 2 372#define SSL3_CT_DSS_SIGN 2
365#define SSL3_CT_RSA_FIXED_DH 3 373#define SSL3_CT_RSA_FIXED_DH 3
@@ -379,6 +387,7 @@ typedef struct ssl3_buffer_st
379#define SSL3_FLAGS_POP_BUFFER 0x0004 387#define SSL3_FLAGS_POP_BUFFER 0x0004
380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 388#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 389#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
390#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
382 391
383/* SSL3_FLAGS_SGC_RESTART_DONE is set when we 392/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
384 * restart a handshake because of MS SGC and so prevents us 393 * restart a handshake because of MS SGC and so prevents us
@@ -391,6 +400,8 @@ typedef struct ssl3_buffer_st
391 */ 400 */
392#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040 401#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
393 402
403#ifndef OPENSSL_NO_SSL_INTERN
404
394typedef struct ssl3_state_st 405typedef struct ssl3_state_st
395 { 406 {
396 long flags; 407 long flags;
@@ -475,7 +486,7 @@ typedef struct ssl3_state_st
475 int finish_md_len; 486 int finish_md_len;
476 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2]; 487 unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
477 int peer_finish_md_len; 488 int peer_finish_md_len;
478 489
479 unsigned long message_size; 490 unsigned long message_size;
480 int message_type; 491 int message_type;
481 492
@@ -523,13 +534,23 @@ typedef struct ssl3_state_st
523 unsigned char previous_server_finished[EVP_MAX_MD_SIZE]; 534 unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
524 unsigned char previous_server_finished_len; 535 unsigned char previous_server_finished_len;
525 int send_connection_binding; /* TODOEKR */ 536 int send_connection_binding; /* TODOEKR */
537
538#ifndef OPENSSL_NO_NEXTPROTONEG
539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */
540 int next_proto_neg_seen;
541#endif
526 } SSL3_STATE; 542 } SSL3_STATE;
527 543
544#endif
528 545
529/* SSLv3 */ 546/* SSLv3 */
530/*client */ 547/*client */
531/* extra state */ 548/* extra state */
532#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT) 549#define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT)
550#ifndef OPENSSL_NO_SCTP
551#define DTLS1_SCTP_ST_CW_WRITE_SOCK (0x310|SSL_ST_CONNECT)
552#define DTLS1_SCTP_ST_CR_READ_SOCK (0x320|SSL_ST_CONNECT)
553#endif
533/* write to server */ 554/* write to server */
534#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT) 555#define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT)
535#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT) 556#define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT)
@@ -557,6 +578,8 @@ typedef struct ssl3_state_st
557#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) 578#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
558#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) 579#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
559#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) 580#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
581#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
582#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
560#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) 583#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
561#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) 584#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
562/* read from server */ 585/* read from server */
@@ -572,6 +595,10 @@ typedef struct ssl3_state_st
572/* server */ 595/* server */
573/* extra state */ 596/* extra state */
574#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT) 597#define SSL3_ST_SW_FLUSH (0x100|SSL_ST_ACCEPT)
598#ifndef OPENSSL_NO_SCTP
599#define DTLS1_SCTP_ST_SW_WRITE_SOCK (0x310|SSL_ST_ACCEPT)
600#define DTLS1_SCTP_ST_SR_READ_SOCK (0x320|SSL_ST_ACCEPT)
601#endif
575/* read from client */ 602/* read from client */
576/* Do not change the number values, they do matter */ 603/* Do not change the number values, they do matter */
577#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) 604#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
@@ -602,6 +629,8 @@ typedef struct ssl3_state_st
602#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) 629#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
603#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) 630#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
604#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) 631#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
632#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
633#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
605#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) 634#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
606#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) 635#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
607/* write to client */ 636/* write to client */
@@ -626,6 +655,7 @@ typedef struct ssl3_state_st
626#define SSL3_MT_CLIENT_KEY_EXCHANGE 16 655#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
627#define SSL3_MT_FINISHED 20 656#define SSL3_MT_FINISHED 20
628#define SSL3_MT_CERTIFICATE_STATUS 22 657#define SSL3_MT_CERTIFICATE_STATUS 22
658#define SSL3_MT_NEXT_PROTO 67
629#define DTLS1_MT_HELLO_VERIFY_REQUEST 3 659#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
630 660
631 661
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index 0967b2dfe4..d443143c59 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -73,6 +73,9 @@ int SSL_library_init(void)
73#endif 73#endif
74#ifndef OPENSSL_NO_RC4 74#ifndef OPENSSL_NO_RC4
75 EVP_add_cipher(EVP_rc4()); 75 EVP_add_cipher(EVP_rc4());
76#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
77 EVP_add_cipher(EVP_rc4_hmac_md5());
78#endif
76#endif 79#endif
77#ifndef OPENSSL_NO_RC2 80#ifndef OPENSSL_NO_RC2
78 EVP_add_cipher(EVP_rc2_cbc()); 81 EVP_add_cipher(EVP_rc2_cbc());
@@ -85,6 +88,12 @@ int SSL_library_init(void)
85 EVP_add_cipher(EVP_aes_128_cbc()); 88 EVP_add_cipher(EVP_aes_128_cbc());
86 EVP_add_cipher(EVP_aes_192_cbc()); 89 EVP_add_cipher(EVP_aes_192_cbc());
87 EVP_add_cipher(EVP_aes_256_cbc()); 90 EVP_add_cipher(EVP_aes_256_cbc());
91 EVP_add_cipher(EVP_aes_128_gcm());
92 EVP_add_cipher(EVP_aes_256_gcm());
93#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
96#endif
88#endif 97#endif
89#ifndef OPENSSL_NO_CAMELLIA 98#ifndef OPENSSL_NO_CAMELLIA
90 EVP_add_cipher(EVP_camellia_128_cbc()); 99 EVP_add_cipher(EVP_camellia_128_cbc());
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index d7f4c6087e..38540be1e5 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -114,6 +114,9 @@ typedef struct ssl_session_asn1_st
114 ASN1_OCTET_STRING psk_identity_hint; 114 ASN1_OCTET_STRING psk_identity_hint;
115 ASN1_OCTET_STRING psk_identity; 115 ASN1_OCTET_STRING psk_identity;
116#endif /* OPENSSL_NO_PSK */ 116#endif /* OPENSSL_NO_PSK */
117#ifndef OPENSSL_NO_SRP
118 ASN1_OCTET_STRING srp_username;
119#endif /* OPENSSL_NO_SRP */
117 } SSL_SESSION_ASN1; 120 } SSL_SESSION_ASN1;
118 121
119int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 122int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
@@ -130,6 +133,9 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
130 unsigned char cbuf; 133 unsigned char cbuf;
131 int v11=0; 134 int v11=0;
132#endif 135#endif
136#ifndef OPENSSL_NO_SRP
137 int v12=0;
138#endif
133 long l; 139 long l;
134 SSL_SESSION_ASN1 a; 140 SSL_SESSION_ASN1 a;
135 M_ASN1_I2D_vars(in); 141 M_ASN1_I2D_vars(in);
@@ -267,6 +273,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
267 a.psk_identity.data=(unsigned char *)(in->psk_identity); 273 a.psk_identity.data=(unsigned char *)(in->psk_identity);
268 } 274 }
269#endif /* OPENSSL_NO_PSK */ 275#endif /* OPENSSL_NO_PSK */
276#ifndef OPENSSL_NO_SRP
277 if (in->srp_username)
278 {
279 a.srp_username.length=strlen(in->srp_username);
280 a.srp_username.type=V_ASN1_OCTET_STRING;
281 a.srp_username.data=(unsigned char *)(in->srp_username);
282 }
283#endif /* OPENSSL_NO_SRP */
270 284
271 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); 285 M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
272 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); 286 M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
@@ -307,6 +321,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
307 if (in->psk_identity) 321 if (in->psk_identity)
308 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8); 322 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
309#endif /* OPENSSL_NO_PSK */ 323#endif /* OPENSSL_NO_PSK */
324#ifndef OPENSSL_NO_SRP
325 if (in->srp_username)
326 M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
327#endif /* OPENSSL_NO_SRP */
310 328
311 M_ASN1_I2D_seq_total(); 329 M_ASN1_I2D_seq_total();
312 330
@@ -351,6 +369,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
351 if (in->compress_meth) 369 if (in->compress_meth)
352 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11); 370 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING,11,v11);
353#endif 371#endif
372#ifndef OPENSSL_NO_SRP
373 if (in->srp_username)
374 M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING,12,v12);
375#endif /* OPENSSL_NO_SRP */
354 M_ASN1_I2D_finish(); 376 M_ASN1_I2D_finish();
355 } 377 }
356 378
@@ -549,6 +571,19 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
549 } 571 }
550 else 572 else
551 ret->psk_identity_hint=NULL; 573 ret->psk_identity_hint=NULL;
574
575 os.length=0;
576 os.data=NULL;
577 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,8);
578 if (os.data)
579 {
580 ret->psk_identity = BUF_strndup((char *)os.data, os.length);
581 OPENSSL_free(os.data);
582 os.data = NULL;
583 os.length = 0;
584 }
585 else
586 ret->psk_identity=NULL;
552#endif /* OPENSSL_NO_PSK */ 587#endif /* OPENSSL_NO_PSK */
553 588
554#ifndef OPENSSL_NO_TLSEXT 589#ifndef OPENSSL_NO_TLSEXT
@@ -588,5 +623,20 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
588 } 623 }
589#endif 624#endif
590 625
626#ifndef OPENSSL_NO_SRP
627 os.length=0;
628 os.data=NULL;
629 M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,12);
630 if (os.data)
631 {
632 ret->srp_username = BUF_strndup((char *)os.data, os.length);
633 OPENSSL_free(os.data);
634 os.data = NULL;
635 os.length = 0;
636 }
637 else
638 ret->srp_username=NULL;
639#endif /* OPENSSL_NO_SRP */
640
591 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); 641 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
592 } 642 }
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 27256eea81..917be31876 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -160,6 +160,21 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void)
160 return ssl_x509_store_ctx_idx; 160 return ssl_x509_store_ctx_idx;
161 } 161 }
162 162
163static void ssl_cert_set_default_md(CERT *cert)
164 {
165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
168#endif
169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif
173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
175#endif
176 }
177
163CERT *ssl_cert_new(void) 178CERT *ssl_cert_new(void)
164 { 179 {
165 CERT *ret; 180 CERT *ret;
@@ -174,7 +189,7 @@ CERT *ssl_cert_new(void)
174 189
175 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]); 190 ret->key= &(ret->pkeys[SSL_PKEY_RSA_ENC]);
176 ret->references=1; 191 ret->references=1;
177 192 ssl_cert_set_default_md(ret);
178 return(ret); 193 return(ret);
179 } 194 }
180 195
@@ -307,6 +322,10 @@ CERT *ssl_cert_dup(CERT *cert)
307 * chain is held inside SSL_CTX */ 322 * chain is held inside SSL_CTX */
308 323
309 ret->references=1; 324 ret->references=1;
325 /* Set digests to defaults. NB: we don't copy existing values as they
326 * will be set during handshake.
327 */
328 ssl_cert_set_default_md(ret);
310 329
311 return(ret); 330 return(ret);
312 331
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 54ba7ef5b4..92d1e94d6a 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -162,11 +162,13 @@
162#define SSL_ENC_CAMELLIA256_IDX 9 162#define SSL_ENC_CAMELLIA256_IDX 9
163#define SSL_ENC_GOST89_IDX 10 163#define SSL_ENC_GOST89_IDX 10
164#define SSL_ENC_SEED_IDX 11 164#define SSL_ENC_SEED_IDX 11
165#define SSL_ENC_NUM_IDX 12 165#define SSL_ENC_AES128GCM_IDX 12
166#define SSL_ENC_AES256GCM_IDX 13
167#define SSL_ENC_NUM_IDX 14
166 168
167 169
168static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ 170static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
169 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, 171 NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
170 }; 172 };
171 173
172#define SSL_COMP_NULL_IDX 0 174#define SSL_COMP_NULL_IDX 0
@@ -179,28 +181,32 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
179#define SSL_MD_SHA1_IDX 1 181#define SSL_MD_SHA1_IDX 1
180#define SSL_MD_GOST94_IDX 2 182#define SSL_MD_GOST94_IDX 2
181#define SSL_MD_GOST89MAC_IDX 3 183#define SSL_MD_GOST89MAC_IDX 3
184#define SSL_MD_SHA256_IDX 4
185#define SSL_MD_SHA384_IDX 5
182/*Constant SSL_MAX_DIGEST equal to size of digests array should be 186/*Constant SSL_MAX_DIGEST equal to size of digests array should be
183 * defined in the 187 * defined in the
184 * ssl_locl.h */ 188 * ssl_locl.h */
185#define SSL_MD_NUM_IDX SSL_MAX_DIGEST 189#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
186static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ 190static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
187 NULL,NULL,NULL,NULL 191 NULL,NULL,NULL,NULL,NULL,NULL
188 }; 192 };
189/* PKEY_TYPE for GOST89MAC is known in advance, but, because 193/* PKEY_TYPE for GOST89MAC is known in advance, but, because
190 * implementation is engine-provided, we'll fill it only if 194 * implementation is engine-provided, we'll fill it only if
191 * corresponding EVP_PKEY_METHOD is found 195 * corresponding EVP_PKEY_METHOD is found
192 */ 196 */
193static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ 197static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
194 EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef 198 EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,
199 EVP_PKEY_HMAC,EVP_PKEY_HMAC
195 }; 200 };
196 201
197static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ 202static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
198 0,0,0,0 203 0,0,0,0,0,0
199 }; 204 };
200 205
201static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ 206static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
202 SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, 207 SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
203 SSL_HANDSHAKE_MAC_GOST94,0 208 SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
209 SSL_HANDSHAKE_MAC_SHA384
204 }; 210 };
205 211
206#define CIPHER_ADD 1 212#define CIPHER_ADD 1
@@ -247,6 +253,7 @@ static const SSL_CIPHER cipher_aliases[]={
247 {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, 253 {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
248 254
249 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, 255 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
256 {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0},
250 {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, 257 {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
251 258
252 /* server authentication aliases */ 259 /* server authentication aliases */
@@ -273,6 +280,7 @@ static const SSL_CIPHER cipher_aliases[]={
273 {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, 280 {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
274 {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, 281 {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
275 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, 282 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
283 {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0},
276 284
277 285
278 /* symmetric encryption aliases */ 286 /* symmetric encryption aliases */
@@ -283,9 +291,10 @@ static const SSL_CIPHER cipher_aliases[]={
283 {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, 291 {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},
284 {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, 292 {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},
285 {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, 293 {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
286 {0,SSL_TXT_AES128,0, 0,0,SSL_AES128,0,0,0,0,0,0}, 294 {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
287 {0,SSL_TXT_AES256,0, 0,0,SSL_AES256,0,0,0,0,0,0}, 295 {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0},
288 {0,SSL_TXT_AES,0, 0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0}, 296 {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0},
297 {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0},
289 {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, 298 {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
290 {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, 299 {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
291 {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0}, 300 {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
@@ -296,6 +305,8 @@ static const SSL_CIPHER cipher_aliases[]={
296 {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, 305 {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
297 {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, 306 {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
298 {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, 307 {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
308 {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0},
309 {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0},
299 310
300 /* protocol version aliases */ 311 /* protocol version aliases */
301 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, 312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
@@ -379,6 +390,11 @@ void ssl_load_ciphers(void)
379 ssl_cipher_methods[SSL_ENC_SEED_IDX]= 390 ssl_cipher_methods[SSL_ENC_SEED_IDX]=
380 EVP_get_cipherbyname(SN_seed_cbc); 391 EVP_get_cipherbyname(SN_seed_cbc);
381 392
393 ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
394 EVP_get_cipherbyname(SN_aes_128_gcm);
395 ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
396 EVP_get_cipherbyname(SN_aes_256_gcm);
397
382 ssl_digest_methods[SSL_MD_MD5_IDX]= 398 ssl_digest_methods[SSL_MD_MD5_IDX]=
383 EVP_get_digestbyname(SN_md5); 399 EVP_get_digestbyname(SN_md5);
384 ssl_mac_secret_size[SSL_MD_MD5_IDX]= 400 ssl_mac_secret_size[SSL_MD_MD5_IDX]=
@@ -404,6 +420,14 @@ void ssl_load_ciphers(void)
404 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; 420 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
405 } 421 }
406 422
423 ssl_digest_methods[SSL_MD_SHA256_IDX]=
424 EVP_get_digestbyname(SN_sha256);
425 ssl_mac_secret_size[SSL_MD_SHA256_IDX]=
426 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
427 ssl_digest_methods[SSL_MD_SHA384_IDX]=
428 EVP_get_digestbyname(SN_sha384);
429 ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
430 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
407 } 431 }
408#ifndef OPENSSL_NO_COMP 432#ifndef OPENSSL_NO_COMP
409 433
@@ -526,6 +550,12 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
526 case SSL_SEED: 550 case SSL_SEED:
527 i=SSL_ENC_SEED_IDX; 551 i=SSL_ENC_SEED_IDX;
528 break; 552 break;
553 case SSL_AES128GCM:
554 i=SSL_ENC_AES128GCM_IDX;
555 break;
556 case SSL_AES256GCM:
557 i=SSL_ENC_AES256GCM_IDX;
558 break;
529 default: 559 default:
530 i= -1; 560 i= -1;
531 break; 561 break;
@@ -549,6 +579,12 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
549 case SSL_SHA1: 579 case SSL_SHA1:
550 i=SSL_MD_SHA1_IDX; 580 i=SSL_MD_SHA1_IDX;
551 break; 581 break;
582 case SSL_SHA256:
583 i=SSL_MD_SHA256_IDX;
584 break;
585 case SSL_SHA384:
586 i=SSL_MD_SHA384_IDX;
587 break;
552 case SSL_GOST94: 588 case SSL_GOST94:
553 i = SSL_MD_GOST94_IDX; 589 i = SSL_MD_GOST94_IDX;
554 break; 590 break;
@@ -564,17 +600,45 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
564 *md=NULL; 600 *md=NULL;
565 if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; 601 if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
566 if (mac_secret_size!=NULL) *mac_secret_size = 0; 602 if (mac_secret_size!=NULL) *mac_secret_size = 0;
567 603 if (c->algorithm_mac == SSL_AEAD)
604 mac_pkey_type = NULL;
568 } 605 }
569 else 606 else
570 { 607 {
571 *md=ssl_digest_methods[i]; 608 *md=ssl_digest_methods[i];
572 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; 609 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
573 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i]; 610 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
574 } 611 }
612
613 if ((*enc != NULL) &&
614 (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
615 (!mac_pkey_type||*mac_pkey_type != NID_undef))
616 {
617 const EVP_CIPHER *evp;
618
619 if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
620 s->ssl_version < TLS1_VERSION)
621 return 1;
575 622
576 if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type != NID_undef)) 623#ifdef OPENSSL_FIPS
624 if (FIPS_mode())
625 return 1;
626#endif
627
628 if (c->algorithm_enc == SSL_RC4 &&
629 c->algorithm_mac == SSL_MD5 &&
630 (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
631 *enc = evp, *md = NULL;
632 else if (c->algorithm_enc == SSL_AES128 &&
633 c->algorithm_mac == SSL_SHA1 &&
634 (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
635 *enc = evp, *md = NULL;
636 else if (c->algorithm_enc == SSL_AES256 &&
637 c->algorithm_mac == SSL_SHA1 &&
638 (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
639 *enc = evp, *md = NULL;
577 return(1); 640 return(1);
641 }
578 else 642 else
579 return(0); 643 return(0);
580 } 644 }
@@ -585,9 +649,11 @@ int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
585 { 649 {
586 return 0; 650 return 0;
587 } 651 }
588 if (ssl_handshake_digest_flag[idx]==0) return 0;
589 *mask = ssl_handshake_digest_flag[idx]; 652 *mask = ssl_handshake_digest_flag[idx];
590 *md = ssl_digest_methods[idx]; 653 if (*mask)
654 *md = ssl_digest_methods[idx];
655 else
656 *md = NULL;
591 return 1; 657 return 1;
592} 658}
593 659
@@ -662,6 +728,9 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
662 *mkey |= SSL_kPSK; 728 *mkey |= SSL_kPSK;
663 *auth |= SSL_aPSK; 729 *auth |= SSL_aPSK;
664#endif 730#endif
731#ifdef OPENSSL_NO_SRP
732 *mkey |= SSL_kSRP;
733#endif
665 /* Check for presence of GOST 34.10 algorithms, and if they 734 /* Check for presence of GOST 34.10 algorithms, and if they
666 * do not present, disable appropriate auth and key exchange */ 735 * do not present, disable appropriate auth and key exchange */
667 if (!get_optional_pkey_id("gost94")) { 736 if (!get_optional_pkey_id("gost94")) {
@@ -687,6 +756,8 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
687 *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; 756 *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
688 *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; 757 *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
689 *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; 758 *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
759 *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0;
760 *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
690 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0; 761 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
691 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0; 762 *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
692 *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0; 763 *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
@@ -694,6 +765,8 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
694 765
695 *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; 766 *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
696 *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; 767 *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
768 *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
769 *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
697 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; 770 *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
698 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; 771 *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
699 772
@@ -724,6 +797,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
724 c = ssl_method->get_cipher(i); 797 c = ssl_method->get_cipher(i);
725 /* drop those that use any of that is not available */ 798 /* drop those that use any of that is not available */
726 if ((c != NULL) && c->valid && 799 if ((c != NULL) && c->valid &&
800#ifdef OPENSSL_FIPS
801 (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
802#endif
727 !(c->algorithm_mkey & disabled_mkey) && 803 !(c->algorithm_mkey & disabled_mkey) &&
728 !(c->algorithm_auth & disabled_auth) && 804 !(c->algorithm_auth & disabled_auth) &&
729 !(c->algorithm_enc & disabled_enc) && 805 !(c->algorithm_enc & disabled_enc) &&
@@ -1423,7 +1499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1423 */ 1499 */
1424 for (curr = head; curr != NULL; curr = curr->next) 1500 for (curr = head; curr != NULL; curr = curr->next)
1425 { 1501 {
1502#ifdef OPENSSL_FIPS
1503 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
1504#else
1426 if (curr->active) 1505 if (curr->active)
1506#endif
1427 { 1507 {
1428 sk_SSL_CIPHER_push(cipherstack, curr->cipher); 1508 sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1429#ifdef CIPHER_DEBUG 1509#ifdef CIPHER_DEBUG
@@ -1480,6 +1560,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1480 ver="SSLv2"; 1560 ver="SSLv2";
1481 else if (alg_ssl & SSL_SSLV3) 1561 else if (alg_ssl & SSL_SSLV3)
1482 ver="SSLv3"; 1562 ver="SSLv3";
1563 else if (alg_ssl & SSL_TLSV1_2)
1564 ver="TLSv1.2";
1483 else 1565 else
1484 ver="unknown"; 1566 ver="unknown";
1485 1567
@@ -1512,6 +1594,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1512 case SSL_kPSK: 1594 case SSL_kPSK:
1513 kx="PSK"; 1595 kx="PSK";
1514 break; 1596 break;
1597 case SSL_kSRP:
1598 kx="SRP";
1599 break;
1515 default: 1600 default:
1516 kx="unknown"; 1601 kx="unknown";
1517 } 1602 }
@@ -1574,6 +1659,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1574 case SSL_AES256: 1659 case SSL_AES256:
1575 enc="AES(256)"; 1660 enc="AES(256)";
1576 break; 1661 break;
1662 case SSL_AES128GCM:
1663 enc="AESGCM(128)";
1664 break;
1665 case SSL_AES256GCM:
1666 enc="AESGCM(256)";
1667 break;
1577 case SSL_CAMELLIA128: 1668 case SSL_CAMELLIA128:
1578 enc="Camellia(128)"; 1669 enc="Camellia(128)";
1579 break; 1670 break;
@@ -1596,6 +1687,15 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1596 case SSL_SHA1: 1687 case SSL_SHA1:
1597 mac="SHA1"; 1688 mac="SHA1";
1598 break; 1689 break;
1690 case SSL_SHA256:
1691 mac="SHA256";
1692 break;
1693 case SSL_SHA384:
1694 mac="SHA384";
1695 break;
1696 case SSL_AEAD:
1697 mac="AEAD";
1698 break;
1599 default: 1699 default:
1600 mac="unknown"; 1700 mac="unknown";
1601 break; 1701 break;
@@ -1653,6 +1753,11 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1653 return(ret); 1753 return(ret);
1654 } 1754 }
1655 1755
1756unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c)
1757 {
1758 return c->id;
1759 }
1760
1656SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) 1761SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1657 { 1762 {
1658 SSL_COMP *ctmp; 1763 SSL_COMP *ctmp;
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index e9be77109f..2577c6895a 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -80,6 +80,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"}, 80{ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
81{ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"}, 81{ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
82{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"}, 82{ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"},
83{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"},
83{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"}, 84{ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"},
84{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"}, 85{ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
85{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"}, 86{ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"},
@@ -88,6 +89,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
88{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"}, 89{ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT), "DTLS1_GET_MESSAGE_FRAGMENT"},
89{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"}, 90{ERR_FUNC(SSL_F_DTLS1_GET_RECORD), "DTLS1_GET_RECORD"},
90{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"}, 91{ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT), "DTLS1_HANDLE_TIMEOUT"},
92{ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
91{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"}, 93{ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
92{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"}, 94{ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
93{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"}, 95{ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
@@ -156,6 +158,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
156{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"}, 158{ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
157{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"}, 159{ERR_FUNC(SSL_F_SSL3_GET_MESSAGE), "SSL3_GET_MESSAGE"},
158{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"}, 160{ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET), "SSL3_GET_NEW_SESSION_TICKET"},
161{ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO), "SSL3_GET_NEXT_PROTO"},
159{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"}, 162{ERR_FUNC(SSL_F_SSL3_GET_RECORD), "SSL3_GET_RECORD"},
160{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"}, 163{ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE), "SSL3_GET_SERVER_CERTIFICATE"},
161{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"}, 164{ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE), "SSL3_GET_SERVER_DONE"},
@@ -180,10 +183,12 @@ static ERR_STRING_DATA SSL_str_functs[]=
180{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"}, 183{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "SSL3_WRITE_PENDING"},
181{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"}, 184{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
182{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"}, 185{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT), "SSL_ADD_CLIENTHELLO_TLSEXT"},
186{ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT), "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"},
183{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"}, 187{ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK), "SSL_add_dir_cert_subjects_to_stack"},
184{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"}, 188{ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK), "SSL_add_file_cert_subjects_to_stack"},
185{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"}, 189{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT), "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
186{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"}, 190{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT), "SSL_ADD_SERVERHELLO_TLSEXT"},
191{ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT), "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"},
187{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"}, 192{ERR_FUNC(SSL_F_SSL_BAD_METHOD), "SSL_BAD_METHOD"},
188{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"}, 193{ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST), "SSL_BYTES_TO_CIPHER_LIST"},
189{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"}, 194{ERR_FUNC(SSL_F_SSL_CERT_DUP), "SSL_CERT_DUP"},
@@ -200,6 +205,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
200{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"}, 205{ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "SSL_CREATE_CIPHER_LIST"},
201{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"}, 206{ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
202{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, 207{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
208{ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"},
203{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, 209{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
204{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, 210{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
205{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"}, 211{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"},
@@ -228,8 +234,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
228{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, 234{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
229{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"}, 235{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
230{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"}, 236{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT), "SSL_PARSE_CLIENTHELLO_TLSEXT"},
237{ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT), "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"},
231{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"}, 238{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
232{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"}, 239{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT), "SSL_PARSE_SERVERHELLO_TLSEXT"},
240{ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT), "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"},
233{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, 241{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
234{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"}, 242{ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT), "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
235{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"}, 243{ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT), "SSL_PREPARE_SERVERHELLO_TLSEXT"},
@@ -238,6 +246,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
238{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, 246{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
239{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, 247{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
240{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, 248{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
249{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
241{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"}, 250{ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "SSL_SESS_CERT_NEW"},
242{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"}, 251{ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
243{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"}, 252{ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"},
@@ -251,6 +260,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
251{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"}, 260{ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
252{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"}, 261{ERR_FUNC(SSL_F_SSL_SET_WFD), "SSL_set_wfd"},
253{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"}, 262{ERR_FUNC(SSL_F_SSL_SHUTDOWN), "SSL_shutdown"},
263{ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT), "SSL_SRP_CTX_init"},
254{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"}, 264{ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "SSL_UNDEFINED_CONST_FUNCTION"},
255{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"}, 265{ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "SSL_UNDEFINED_FUNCTION"},
256{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"}, 266{ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "SSL_UNDEFINED_VOID_FUNCTION"},
@@ -270,6 +280,8 @@ static ERR_STRING_DATA SSL_str_functs[]=
270{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"}, 280{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
271{ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, 281{ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
272{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"}, 282{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
283{ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "TLS1_EXPORT_KEYING_MATERIAL"},
284{ERR_FUNC(SSL_F_TLS1_HEARTBEAT), "SSL_F_TLS1_HEARTBEAT"},
273{ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"}, 285{ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
274{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"}, 286{ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
275{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"}, 287{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
@@ -312,6 +324,13 @@ static ERR_STRING_DATA SSL_str_reasons[]=
312{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"}, 324{ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH),"bad rsa modulus length"},
313{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"}, 325{ERR_REASON(SSL_R_BAD_RSA_SIGNATURE) ,"bad rsa signature"},
314{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"}, 326{ERR_REASON(SSL_R_BAD_SIGNATURE) ,"bad signature"},
327{ERR_REASON(SSL_R_BAD_SRP_A_LENGTH) ,"bad srp a length"},
328{ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) ,"bad srp b length"},
329{ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) ,"bad srp g length"},
330{ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) ,"bad srp n length"},
331{ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) ,"bad srp s length"},
332{ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) ,"bad srtp mki value"},
333{ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
315{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"}, 334{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
316{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"}, 335{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
317{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"}, 336{ERR_REASON(SSL_R_BAD_STATE) ,"bad state"},
@@ -350,12 +369,15 @@ static ERR_STRING_DATA SSL_str_reasons[]=
350{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"}, 369{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE),"ecc cert should have rsa signature"},
351{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"}, 370{ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE),"ecc cert should have sha1 signature"},
352{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"}, 371{ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER),"ecgroup too large for cipher"},
372{ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST),"empty srtp protection profile list"},
353{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"}, 373{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
354{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"}, 374{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
355{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"}, 375{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
356{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, 376{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
357{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, 377{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
358{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, 378{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
379{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
380{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
359{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, 381{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
360{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, 382{ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
361{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, 383{ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
@@ -364,6 +386,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
364{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, 386{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
365{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, 387{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
366{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, 388{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
389{ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"},
367{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"}, 390{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
368{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"}, 391{ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH),"invalid ticket keys length"},
369{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"}, 392{ERR_REASON(SSL_R_INVALID_TRUST) ,"invalid trust"},
@@ -393,6 +416,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
393{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"}, 416{ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE),"missing rsa certificate"},
394{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"}, 417{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
395{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"}, 418{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
419{ERR_REASON(SSL_R_MISSING_SRP_PARAM) ,"can't find SRP server param"},
396{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"}, 420{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
397{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"}, 421{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
398{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"}, 422{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
@@ -422,6 +446,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
422{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"}, 446{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
423{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"}, 447{ERR_REASON(SSL_R_NO_REQUIRED_DIGEST) ,"digest requred for handshake isn't computed"},
424{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"}, 448{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
449{ERR_REASON(SSL_R_NO_SRTP_PROFILES) ,"no srtp profiles"},
425{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"}, 450{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
426{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"}, 451{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
427{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"}, 452{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
@@ -465,7 +490,12 @@ static ERR_STRING_DATA SSL_str_reasons[]=
465{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"}, 490{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT) ,"serverhello tlsext"},
466{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"}, 491{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),"session id context uninitialized"},
467{ERR_REASON(SSL_R_SHORT_READ) ,"short read"}, 492{ERR_REASON(SSL_R_SHORT_READ) ,"short read"},
493{ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR),"signature algorithms error"},
468{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"}, 494{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),"signature for non signing certificate"},
495{ERR_REASON(SSL_R_SRP_A_CALC) ,"error with the srp params"},
496{ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES),"srtp could not allocate profiles"},
497{ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG),"srtp protection profile list too long"},
498{ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE),"srtp unknown protection profile"},
469{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"}, 499{ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE),"ssl23 doing session id reuse"},
470{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"}, 500{ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG),"ssl2 connection id too long"},
471{ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"}, 501{ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT),"ssl3 ext invalid ecpointformat"},
@@ -510,6 +540,9 @@ static ERR_STRING_DATA SSL_str_reasons[]=
510{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"}, 540{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"},
511{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"}, 541{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"},
512{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"}, 542{ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"},
543{ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT),"peer does not accept heartbearts"},
544{ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) ,"heartbeat request already pending"},
545{ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL),"tls illegal exporter label"},
513{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"}, 546{ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"},
514{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"}, 547{ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"},
515{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"}, 548{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),"tls rsa encrypted value length is wrong"},
@@ -531,6 +564,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
531{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"}, 564{ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
532{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"}, 565{ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
533{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"}, 566{ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"},
567{ERR_REASON(SSL_R_UNKNOWN_DIGEST) ,"unknown digest"},
534{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"}, 568{ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE),"unknown key exchange type"},
535{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"}, 569{ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE) ,"unknown pkey type"},
536{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"}, 570{ERR_REASON(SSL_R_UNKNOWN_PROTOCOL) ,"unknown protocol"},
@@ -545,12 +579,14 @@ static ERR_STRING_DATA SSL_str_reasons[]=
545{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"}, 579{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
546{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"}, 580{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
547{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"}, 581{ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE),"unsupported status type"},
582{ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED),"use srtp not negotiated"},
548{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"}, 583{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},
549{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"}, 584{ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) ,"wrong cipher returned"},
550{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"}, 585{ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) ,"wrong message type"},
551{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"}, 586{ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS),"wrong number of key bits"},
552{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"}, 587{ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH),"wrong signature length"},
553{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"}, 588{ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE) ,"wrong signature size"},
589{ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE) ,"wrong signature type"},
554{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"}, 590{ERR_REASON(SSL_R_WRONG_SSL_VERSION) ,"wrong ssl version"},
555{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"}, 591{ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) ,"wrong version number"},
556{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"}, 592{ERR_REASON(SSL_R_X509_LIB) ,"x509 lib"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 8e89911f48..f82d071d6e 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -176,7 +176,10 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={
176 0, /* client_finished_label_len */ 176 0, /* client_finished_label_len */
177 NULL, /* server_finished_label */ 177 NULL, /* server_finished_label */
178 0, /* server_finished_label_len */ 178 0, /* server_finished_label_len */
179 (int (*)(int))ssl_undefined_function 179 (int (*)(int))ssl_undefined_function,
180 (int (*)(SSL *, unsigned char *, size_t, const char *,
181 size_t, const unsigned char *, size_t,
182 int use_context)) ssl_undefined_function,
180 }; 183 };
181 184
182int SSL_clear(SSL *s) 185int SSL_clear(SSL *s)
@@ -202,9 +205,9 @@ int SSL_clear(SSL *s)
202 * needed because SSL_clear is not called when doing renegotiation) */ 205 * needed because SSL_clear is not called when doing renegotiation) */
203 /* This is set if we are doing dynamic renegotiation so keep 206 /* This is set if we are doing dynamic renegotiation so keep
204 * the old cipher. It is sort of a SSL_clear_lite :-) */ 207 * the old cipher. It is sort of a SSL_clear_lite :-) */
205 if (s->new_session) return(1); 208 if (s->renegotiate) return(1);
206#else 209#else
207 if (s->new_session) 210 if (s->renegotiate)
208 { 211 {
209 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); 212 SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
210 return 0; 213 return 0;
@@ -353,6 +356,9 @@ SSL *SSL_new(SSL_CTX *ctx)
353 s->tlsext_ocsp_resplen = -1; 356 s->tlsext_ocsp_resplen = -1;
354 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); 357 CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
355 s->initial_ctx=ctx; 358 s->initial_ctx=ctx;
359# ifndef OPENSSL_NO_NEXTPROTONEG
360 s->next_proto_negotiated = NULL;
361# endif
356#endif 362#endif
357 363
358 s->verify_result=X509_V_OK; 364 s->verify_result=X509_V_OK;
@@ -586,6 +592,14 @@ void SSL_free(SSL *s)
586 kssl_ctx_free(s->kssl_ctx); 592 kssl_ctx_free(s->kssl_ctx);
587#endif /* OPENSSL_NO_KRB5 */ 593#endif /* OPENSSL_NO_KRB5 */
588 594
595#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
596 if (s->next_proto_negotiated)
597 OPENSSL_free(s->next_proto_negotiated);
598#endif
599
600 if (s->srtp_profiles)
601 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
602
589 OPENSSL_free(s); 603 OPENSSL_free(s);
590 } 604 }
591 605
@@ -1008,10 +1022,21 @@ int SSL_shutdown(SSL *s)
1008 1022
1009int SSL_renegotiate(SSL *s) 1023int SSL_renegotiate(SSL *s)
1010 { 1024 {
1011 if (s->new_session == 0) 1025 if (s->renegotiate == 0)
1012 { 1026 s->renegotiate=1;
1013 s->new_session=1; 1027
1014 } 1028 s->new_session=1;
1029
1030 return(s->method->ssl_renegotiate(s));
1031 }
1032
1033int SSL_renegotiate_abbreviated(SSL *s)
1034 {
1035 if (s->renegotiate == 0)
1036 s->renegotiate=1;
1037
1038 s->new_session=0;
1039
1015 return(s->method->ssl_renegotiate(s)); 1040 return(s->method->ssl_renegotiate(s));
1016 } 1041 }
1017 1042
@@ -1019,7 +1044,7 @@ int SSL_renegotiate_pending(SSL *s)
1019 { 1044 {
1020 /* becomes true when negotiation is requested; 1045 /* becomes true when negotiation is requested;
1021 * false again once a handshake has finished */ 1046 * false again once a handshake has finished */
1022 return (s->new_session != 0); 1047 return (s->renegotiate != 0);
1023 } 1048 }
1024 1049
1025long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) 1050long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
@@ -1054,8 +1079,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1054 s->max_cert_list=larg; 1079 s->max_cert_list=larg;
1055 return(l); 1080 return(l);
1056 case SSL_CTRL_SET_MTU: 1081 case SSL_CTRL_SET_MTU:
1082#ifndef OPENSSL_NO_DTLS1
1057 if (larg < (long)dtls1_min_mtu()) 1083 if (larg < (long)dtls1_min_mtu())
1058 return 0; 1084 return 0;
1085#endif
1059 1086
1060 if (SSL_version(s) == DTLS1_VERSION || 1087 if (SSL_version(s) == DTLS1_VERSION ||
1061 SSL_version(s) == DTLS1_BAD_VER) 1088 SSL_version(s) == DTLS1_BAD_VER)
@@ -1358,6 +1385,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1358 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1385 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1359 { 1386 {
1360 c=sk_SSL_CIPHER_value(sk,i); 1387 c=sk_SSL_CIPHER_value(sk,i);
1388 /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
1389 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
1390 (TLS1_get_client_version(s) < TLS1_2_VERSION))
1391 continue;
1361#ifndef OPENSSL_NO_KRB5 1392#ifndef OPENSSL_NO_KRB5
1362 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) && 1393 if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
1363 nokrb5) 1394 nokrb5)
@@ -1375,7 +1406,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
1375 /* If p == q, no ciphers and caller indicates an error. Otherwise 1406 /* If p == q, no ciphers and caller indicates an error. Otherwise
1376 * add SCSV if not renegotiating. 1407 * add SCSV if not renegotiating.
1377 */ 1408 */
1378 if (p != q && !s->new_session) 1409 if (p != q && !s->renegotiate)
1379 { 1410 {
1380 static SSL_CIPHER scsv = 1411 static SSL_CIPHER scsv =
1381 { 1412 {
@@ -1422,7 +1453,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
1422 (p[n-1] == (SSL3_CK_SCSV & 0xff))) 1453 (p[n-1] == (SSL3_CK_SCSV & 0xff)))
1423 { 1454 {
1424 /* SCSV fatal if renegotiating */ 1455 /* SCSV fatal if renegotiating */
1425 if (s->new_session) 1456 if (s->renegotiate)
1426 { 1457 {
1427 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 1458 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1428 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1459 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
@@ -1479,8 +1510,137 @@ int SSL_get_servername_type(const SSL *s)
1479 return TLSEXT_NAMETYPE_host_name; 1510 return TLSEXT_NAMETYPE_host_name;
1480 return -1; 1511 return -1;
1481 } 1512 }
1513
1514# ifndef OPENSSL_NO_NEXTPROTONEG
1515/* SSL_select_next_proto implements the standard protocol selection. It is
1516 * expected that this function is called from the callback set by
1517 * SSL_CTX_set_next_proto_select_cb.
1518 *
1519 * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
1520 * strings. The length byte itself is not included in the length. A byte
1521 * string of length 0 is invalid. No byte string may be truncated.
1522 *
1523 * The current, but experimental algorithm for selecting the protocol is:
1524 *
1525 * 1) If the server doesn't support NPN then this is indicated to the
1526 * callback. In this case, the client application has to abort the connection
1527 * or have a default application level protocol.
1528 *
1529 * 2) If the server supports NPN, but advertises an empty list then the
1530 * client selects the first protcol in its list, but indicates via the
1531 * API that this fallback case was enacted.
1532 *
1533 * 3) Otherwise, the client finds the first protocol in the server's list
1534 * that it supports and selects this protocol. This is because it's
1535 * assumed that the server has better information about which protocol
1536 * a client should use.
1537 *
1538 * 4) If the client doesn't support any of the server's advertised
1539 * protocols, then this is treated the same as case 2.
1540 *
1541 * It returns either
1542 * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
1543 * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
1544 */
1545int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *server, unsigned int server_len, const unsigned char *client, unsigned int client_len)
1546 {
1547 unsigned int i, j;
1548 const unsigned char *result;
1549 int status = OPENSSL_NPN_UNSUPPORTED;
1550
1551 /* For each protocol in server preference order, see if we support it. */
1552 for (i = 0; i < server_len; )
1553 {
1554 for (j = 0; j < client_len; )
1555 {
1556 if (server[i] == client[j] &&
1557 memcmp(&server[i+1], &client[j+1], server[i]) == 0)
1558 {
1559 /* We found a match */
1560 result = &server[i];
1561 status = OPENSSL_NPN_NEGOTIATED;
1562 goto found;
1563 }
1564 j += client[j];
1565 j++;
1566 }
1567 i += server[i];
1568 i++;
1569 }
1570
1571 /* There's no overlap between our protocols and the server's list. */
1572 result = client;
1573 status = OPENSSL_NPN_NO_OVERLAP;
1574
1575 found:
1576 *out = (unsigned char *) result + 1;
1577 *outlen = result[0];
1578 return status;
1579 }
1580
1581/* SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
1582 * requested protocol for this connection and returns 0. If the client didn't
1583 * request any protocol, then *data is set to NULL.
1584 *
1585 * Note that the client can request any protocol it chooses. The value returned
1586 * from this function need not be a member of the list of supported protocols
1587 * provided by the callback.
1588 */
1589void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, unsigned *len)
1590 {
1591 *data = s->next_proto_negotiated;
1592 if (!*data) {
1593 *len = 0;
1594 } else {
1595 *len = s->next_proto_negotiated_len;
1596 }
1597}
1598
1599/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
1600 * TLS server needs a list of supported protocols for Next Protocol
1601 * Negotiation. The returned list must be in wire format. The list is returned
1602 * by setting |out| to point to it and |outlen| to its length. This memory will
1603 * not be modified, but one should assume that the SSL* keeps a reference to
1604 * it.
1605 *
1606 * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise. Otherwise, no
1607 * such extension will be included in the ServerHello. */
1608void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
1609 {
1610 ctx->next_protos_advertised_cb = cb;
1611 ctx->next_protos_advertised_cb_arg = arg;
1612 }
1613
1614/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
1615 * client needs to select a protocol from the server's provided list. |out|
1616 * must be set to point to the selected protocol (which may be within |in|).
1617 * The length of the protocol name must be written into |outlen|. The server's
1618 * advertised protocols are provided in |in| and |inlen|. The callback can
1619 * assume that |in| is syntactically valid.
1620 *
1621 * The client must select a protocol. It is fatal to the connection if this
1622 * callback returns a value other than SSL_TLSEXT_ERR_OK.
1623 */
1624void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg)
1625 {
1626 ctx->next_proto_select_cb = cb;
1627 ctx->next_proto_select_cb_arg = arg;
1628 }
1629# endif
1482#endif 1630#endif
1483 1631
1632int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1633 const char *label, size_t llen, const unsigned char *p, size_t plen,
1634 int use_context)
1635 {
1636 if (s->version < TLS1_VERSION)
1637 return -1;
1638
1639 return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
1640 llen, p, plen,
1641 use_context);
1642 }
1643
1484static unsigned long ssl_session_hash(const SSL_SESSION *a) 1644static unsigned long ssl_session_hash(const SSL_SESSION *a)
1485 { 1645 {
1486 unsigned long l; 1646 unsigned long l;
@@ -1524,6 +1684,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1524 return(NULL); 1684 return(NULL);
1525 } 1685 }
1526 1686
1687#ifdef OPENSSL_FIPS
1688 if (FIPS_mode() && (meth->version < TLS1_VERSION))
1689 {
1690 SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
1691 return NULL;
1692 }
1693#endif
1694
1527 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) 1695 if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
1528 { 1696 {
1529 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); 1697 SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1643,12 +1811,19 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1643 ret->tlsext_status_cb = 0; 1811 ret->tlsext_status_cb = 0;
1644 ret->tlsext_status_arg = NULL; 1812 ret->tlsext_status_arg = NULL;
1645 1813
1814# ifndef OPENSSL_NO_NEXTPROTONEG
1815 ret->next_protos_advertised_cb = 0;
1816 ret->next_proto_select_cb = 0;
1817# endif
1646#endif 1818#endif
1647#ifndef OPENSSL_NO_PSK 1819#ifndef OPENSSL_NO_PSK
1648 ret->psk_identity_hint=NULL; 1820 ret->psk_identity_hint=NULL;
1649 ret->psk_client_callback=NULL; 1821 ret->psk_client_callback=NULL;
1650 ret->psk_server_callback=NULL; 1822 ret->psk_server_callback=NULL;
1651#endif 1823#endif
1824#ifndef OPENSSL_NO_SRP
1825 SSL_CTX_SRP_CTX_init(ret);
1826#endif
1652#ifndef OPENSSL_NO_BUF_FREELISTS 1827#ifndef OPENSSL_NO_BUF_FREELISTS
1653 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; 1828 ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
1654 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); 1829 ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -1777,10 +1952,16 @@ void SSL_CTX_free(SSL_CTX *a)
1777 a->comp_methods = NULL; 1952 a->comp_methods = NULL;
1778#endif 1953#endif
1779 1954
1955 if (a->srtp_profiles)
1956 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1957
1780#ifndef OPENSSL_NO_PSK 1958#ifndef OPENSSL_NO_PSK
1781 if (a->psk_identity_hint) 1959 if (a->psk_identity_hint)
1782 OPENSSL_free(a->psk_identity_hint); 1960 OPENSSL_free(a->psk_identity_hint);
1783#endif 1961#endif
1962#ifndef OPENSSL_NO_SRP
1963 SSL_CTX_SRP_CTX_free(a);
1964#endif
1784#ifndef OPENSSL_NO_ENGINE 1965#ifndef OPENSSL_NO_ENGINE
1785 if (a->client_cert_engine) 1966 if (a->client_cert_engine)
1786 ENGINE_finish(a->client_cert_engine); 1967 ENGINE_finish(a->client_cert_engine);
@@ -2034,12 +2215,13 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
2034 2215
2035#ifndef OPENSSL_NO_EC 2216#ifndef OPENSSL_NO_EC
2036 2217
2037int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) 2218int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2038 { 2219 {
2039 unsigned long alg_k, alg_a; 2220 unsigned long alg_k, alg_a;
2040 EVP_PKEY *pkey = NULL; 2221 EVP_PKEY *pkey = NULL;
2041 int keysize = 0; 2222 int keysize = 0;
2042 int signature_nid = 0, md_nid = 0, pk_nid = 0; 2223 int signature_nid = 0, md_nid = 0, pk_nid = 0;
2224 const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
2043 2225
2044 alg_k = cs->algorithm_mkey; 2226 alg_k = cs->algorithm_mkey;
2045 alg_a = cs->algorithm_auth; 2227 alg_a = cs->algorithm_auth;
@@ -2069,7 +2251,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2069 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); 2251 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
2070 return 0; 2252 return 0;
2071 } 2253 }
2072 if (alg_k & SSL_kECDHe) 2254 if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
2073 { 2255 {
2074 /* signature alg must be ECDSA */ 2256 /* signature alg must be ECDSA */
2075 if (pk_nid != NID_X9_62_id_ecPublicKey) 2257 if (pk_nid != NID_X9_62_id_ecPublicKey)
@@ -2078,7 +2260,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2078 return 0; 2260 return 0;
2079 } 2261 }
2080 } 2262 }
2081 if (alg_k & SSL_kECDHr) 2263 if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
2082 { 2264 {
2083 /* signature alg must be RSA */ 2265 /* signature alg must be RSA */
2084 2266
@@ -2168,34 +2350,36 @@ X509 *ssl_get_server_send_cert(SSL *s)
2168 return(c->pkeys[i].x509); 2350 return(c->pkeys[i].x509);
2169 } 2351 }
2170 2352
2171EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher) 2353EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
2172 { 2354 {
2173 unsigned long alg_a; 2355 unsigned long alg_a;
2174 CERT *c; 2356 CERT *c;
2357 int idx = -1;
2175 2358
2176 alg_a = cipher->algorithm_auth; 2359 alg_a = cipher->algorithm_auth;
2177 c=s->cert; 2360 c=s->cert;
2178 2361
2179 if ((alg_a & SSL_aDSS) && 2362 if ((alg_a & SSL_aDSS) &&
2180 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) 2363 (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
2181 return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); 2364 idx = SSL_PKEY_DSA_SIGN;
2182 else if (alg_a & SSL_aRSA) 2365 else if (alg_a & SSL_aRSA)
2183 { 2366 {
2184 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) 2367 if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
2185 return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); 2368 idx = SSL_PKEY_RSA_SIGN;
2186 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) 2369 else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
2187 return(c->pkeys[SSL_PKEY_RSA_ENC].privatekey); 2370 idx = SSL_PKEY_RSA_ENC;
2188 else
2189 return(NULL);
2190 } 2371 }
2191 else if ((alg_a & SSL_aECDSA) && 2372 else if ((alg_a & SSL_aECDSA) &&
2192 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) 2373 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
2193 return(c->pkeys[SSL_PKEY_ECC].privatekey); 2374 idx = SSL_PKEY_ECC;
2194 else /* if (alg_a & SSL_aNULL) */ 2375 if (idx == -1)
2195 { 2376 {
2196 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); 2377 SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
2197 return(NULL); 2378 return(NULL);
2198 } 2379 }
2380 if (pmd)
2381 *pmd = c->pkeys[idx].digest;
2382 return c->pkeys[idx].privatekey;
2199 } 2383 }
2200 2384
2201void ssl_update_cache(SSL *s,int mode) 2385void ssl_update_cache(SSL *s,int mode)
@@ -2420,6 +2604,10 @@ SSL_METHOD *ssl_bad_method(int ver)
2420 2604
2421const char *SSL_get_version(const SSL *s) 2605const char *SSL_get_version(const SSL *s)
2422 { 2606 {
2607 if (s->version == TLS1_2_VERSION)
2608 return("TLSv1.2");
2609 else if (s->version == TLS1_1_VERSION)
2610 return("TLSv1.1");
2423 if (s->version == TLS1_VERSION) 2611 if (s->version == TLS1_VERSION)
2424 return("TLSv1"); 2612 return("TLSv1");
2425 else if (s->version == SSL3_VERSION) 2613 else if (s->version == SSL3_VERSION)
@@ -2514,6 +2702,7 @@ SSL *SSL_dup(SSL *s)
2514 ret->in_handshake = s->in_handshake; 2702 ret->in_handshake = s->in_handshake;
2515 ret->handshake_func = s->handshake_func; 2703 ret->handshake_func = s->handshake_func;
2516 ret->server = s->server; 2704 ret->server = s->server;
2705 ret->renegotiate = s->renegotiate;
2517 ret->new_session = s->new_session; 2706 ret->new_session = s->new_session;
2518 ret->quiet_shutdown = s->quiet_shutdown; 2707 ret->quiet_shutdown = s->quiet_shutdown;
2519 ret->shutdown=s->shutdown; 2708 ret->shutdown=s->shutdown;
@@ -2779,6 +2968,11 @@ int SSL_state(const SSL *ssl)
2779 return(ssl->state); 2968 return(ssl->state);
2780 } 2969 }
2781 2970
2971void SSL_set_state(SSL *ssl, int state)
2972 {
2973 ssl->state = state;
2974 }
2975
2782void SSL_set_verify_result(SSL *ssl,long arg) 2976void SSL_set_verify_result(SSL *ssl,long arg)
2783 { 2977 {
2784 ssl->verify_result=arg; 2978 ssl->verify_result=arg;
@@ -3037,6 +3231,16 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash)
3037 *hash=NULL; 3231 *hash=NULL;
3038} 3232}
3039 3233
3234void SSL_set_debug(SSL *s, int debug)
3235 {
3236 s->debug = debug;
3237 }
3238
3239int SSL_cache_hit(SSL *s)
3240 {
3241 return s->hit;
3242 }
3243
3040#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) 3244#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
3041#include "../crypto/bio/bss_file.c" 3245#include "../crypto/bio/bss_file.c"
3042#endif 3246#endif
@@ -3045,4 +3249,3 @@ IMPLEMENT_STACK_OF(SSL_CIPHER)
3045IMPLEMENT_STACK_OF(SSL_COMP) 3249IMPLEMENT_STACK_OF(SSL_COMP)
3046IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, 3250IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
3047 ssl_cipher_id); 3251 ssl_cipher_id);
3048
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index cea622a2a6..d87fd51cfa 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -170,7 +170,7 @@
170# define OPENSSL_EXTERN OPENSSL_EXPORT 170# define OPENSSL_EXTERN OPENSSL_EXPORT
171#endif 171#endif
172 172
173#define PKCS1_CHECK 173#undef PKCS1_CHECK
174 174
175#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ 175#define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \
176 l|=(((unsigned long)(*((c)++)))<< 8), \ 176 l|=(((unsigned long)(*((c)++)))<< 8), \
@@ -289,6 +289,7 @@
289#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */ 289#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
290#define SSL_kPSK 0x00000100L /* PSK */ 290#define SSL_kPSK 0x00000100L /* PSK */
291#define SSL_kGOST 0x00000200L /* GOST key exchange */ 291#define SSL_kGOST 0x00000200L /* GOST key exchange */
292#define SSL_kSRP 0x00000400L /* SRP */
292 293
293/* Bits for algorithm_auth (server authentication) */ 294/* Bits for algorithm_auth (server authentication) */
294#define SSL_aRSA 0x00000001L /* RSA auth */ 295#define SSL_aRSA 0x00000001L /* RSA auth */
@@ -316,21 +317,29 @@
316#define SSL_CAMELLIA256 0x00000200L 317#define SSL_CAMELLIA256 0x00000200L
317#define SSL_eGOST2814789CNT 0x00000400L 318#define SSL_eGOST2814789CNT 0x00000400L
318#define SSL_SEED 0x00000800L 319#define SSL_SEED 0x00000800L
320#define SSL_AES128GCM 0x00001000L
321#define SSL_AES256GCM 0x00002000L
319 322
320#define SSL_AES (SSL_AES128|SSL_AES256) 323#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
321#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) 324#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
322 325
323 326
324/* Bits for algorithm_mac (symmetric authentication) */ 327/* Bits for algorithm_mac (symmetric authentication) */
328
325#define SSL_MD5 0x00000001L 329#define SSL_MD5 0x00000001L
326#define SSL_SHA1 0x00000002L 330#define SSL_SHA1 0x00000002L
327#define SSL_GOST94 0x00000004L 331#define SSL_GOST94 0x00000004L
328#define SSL_GOST89MAC 0x00000008L 332#define SSL_GOST89MAC 0x00000008L
333#define SSL_SHA256 0x00000010L
334#define SSL_SHA384 0x00000020L
335/* Not a real MAC, just an indication it is part of cipher */
336#define SSL_AEAD 0x00000040L
329 337
330/* Bits for algorithm_ssl (protocol version) */ 338/* Bits for algorithm_ssl (protocol version) */
331#define SSL_SSLV2 0x00000001L 339#define SSL_SSLV2 0x00000001L
332#define SSL_SSLV3 0x00000002L 340#define SSL_SSLV3 0x00000002L
333#define SSL_TLSV1 SSL_SSLV3 /* for now */ 341#define SSL_TLSV1 SSL_SSLV3 /* for now */
342#define SSL_TLSV1_2 0x00000004L
334 343
335 344
336/* Bits for algorithm2 (handshake digests and other extra flags) */ 345/* Bits for algorithm2 (handshake digests and other extra flags) */
@@ -338,15 +347,21 @@
338#define SSL_HANDSHAKE_MAC_MD5 0x10 347#define SSL_HANDSHAKE_MAC_MD5 0x10
339#define SSL_HANDSHAKE_MAC_SHA 0x20 348#define SSL_HANDSHAKE_MAC_SHA 0x20
340#define SSL_HANDSHAKE_MAC_GOST94 0x40 349#define SSL_HANDSHAKE_MAC_GOST94 0x40
350#define SSL_HANDSHAKE_MAC_SHA256 0x80
351#define SSL_HANDSHAKE_MAC_SHA384 0x100
341#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) 352#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
342 353
343/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX 354/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
344 * make sure to update this constant too */ 355 * make sure to update this constant too */
345#define SSL_MAX_DIGEST 4 356#define SSL_MAX_DIGEST 6
357
358#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
346 359
347#define TLS1_PRF_DGST_SHIFT 8 360#define TLS1_PRF_DGST_SHIFT 10
348#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT) 361#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
349#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT) 362#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
363#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
364#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
350#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT) 365#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
351#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) 366#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
352 367
@@ -457,6 +472,8 @@ typedef struct cert_pkey_st
457 { 472 {
458 X509 *x509; 473 X509 *x509;
459 EVP_PKEY *privatekey; 474 EVP_PKEY *privatekey;
475 /* Digest to use when signing */
476 const EVP_MD *digest;
460 } CERT_PKEY; 477 } CERT_PKEY;
461 478
462typedef struct cert_st 479typedef struct cert_st
@@ -554,6 +571,10 @@ typedef struct ssl3_enc_method
554 const char *server_finished_label; 571 const char *server_finished_label;
555 int server_finished_label_len; 572 int server_finished_label_len;
556 int (*alert_value)(int); 573 int (*alert_value)(int);
574 int (*export_keying_material)(SSL *, unsigned char *, size_t,
575 const char *, size_t,
576 const unsigned char *, size_t,
577 int use_context);
557 } SSL3_ENC_METHOD; 578 } SSL3_ENC_METHOD;
558 579
559#ifndef OPENSSL_NO_COMP 580#ifndef OPENSSL_NO_COMP
@@ -591,11 +612,12 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
591extern SSL3_ENC_METHOD SSLv3_enc_data; 612extern SSL3_ENC_METHOD SSLv3_enc_data;
592extern SSL3_ENC_METHOD DTLSv1_enc_data; 613extern SSL3_ENC_METHOD DTLSv1_enc_data;
593 614
594#define IMPLEMENT_tls1_meth_func(func_name, s_accept, s_connect, s_get_meth) \ 615#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
616 s_get_meth) \
595const SSL_METHOD *func_name(void) \ 617const SSL_METHOD *func_name(void) \
596 { \ 618 { \
597 static const SSL_METHOD func_name##_data= { \ 619 static const SSL_METHOD func_name##_data= { \
598 TLS1_VERSION, \ 620 version, \
599 tls1_new, \ 621 tls1_new, \
600 tls1_clear, \ 622 tls1_clear, \
601 tls1_free, \ 623 tls1_free, \
@@ -669,7 +691,7 @@ const SSL_METHOD *func_name(void) \
669const SSL_METHOD *func_name(void) \ 691const SSL_METHOD *func_name(void) \
670 { \ 692 { \
671 static const SSL_METHOD func_name##_data= { \ 693 static const SSL_METHOD func_name##_data= { \
672 TLS1_VERSION, \ 694 TLS1_2_VERSION, \
673 tls1_new, \ 695 tls1_new, \
674 tls1_clear, \ 696 tls1_clear, \
675 tls1_free, \ 697 tls1_free, \
@@ -752,7 +774,7 @@ const SSL_METHOD *func_name(void) \
752 ssl3_read, \ 774 ssl3_read, \
753 ssl3_peek, \ 775 ssl3_peek, \
754 ssl3_write, \ 776 ssl3_write, \
755 ssl3_shutdown, \ 777 dtls1_shutdown, \
756 ssl3_renegotiate, \ 778 ssl3_renegotiate, \
757 ssl3_renegotiate_check, \ 779 ssl3_renegotiate_check, \
758 dtls1_get_message, \ 780 dtls1_get_message, \
@@ -809,7 +831,7 @@ int ssl_undefined_function(SSL *s);
809int ssl_undefined_void_function(void); 831int ssl_undefined_void_function(void);
810int ssl_undefined_const_function(const SSL *s); 832int ssl_undefined_const_function(const SSL *s);
811X509 *ssl_get_server_send_cert(SSL *); 833X509 *ssl_get_server_send_cert(SSL *);
812EVP_PKEY *ssl_get_sign_pkey(SSL *,const SSL_CIPHER *); 834EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
813int ssl_cert_type(X509 *x,EVP_PKEY *pkey); 835int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
814void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); 836void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
815STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); 837STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
@@ -943,6 +965,7 @@ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
943void dtls1_reset_seq_numbers(SSL *s, int rw); 965void dtls1_reset_seq_numbers(SSL *s, int rw);
944long dtls1_default_timeout(void); 966long dtls1_default_timeout(void);
945struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); 967struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
968int dtls1_check_timeout_num(SSL *s);
946int dtls1_handle_timeout(SSL *s); 969int dtls1_handle_timeout(SSL *s);
947const SSL_CIPHER *dtls1_get_cipher(unsigned int u); 970const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
948void dtls1_start_timer(SSL *s); 971void dtls1_start_timer(SSL *s);
@@ -968,6 +991,9 @@ int ssl3_get_server_certificate(SSL *s);
968int ssl3_check_cert_and_algorithm(SSL *s); 991int ssl3_check_cert_and_algorithm(SSL *s);
969#ifndef OPENSSL_NO_TLSEXT 992#ifndef OPENSSL_NO_TLSEXT
970int ssl3_check_finished(SSL *s); 993int ssl3_check_finished(SSL *s);
994# ifndef OPENSSL_NO_NEXTPROTONEG
995int ssl3_send_next_proto(SSL *s);
996# endif
971#endif 997#endif
972 998
973int dtls1_client_hello(SSL *s); 999int dtls1_client_hello(SSL *s);
@@ -986,6 +1012,9 @@ int ssl3_check_client_hello(SSL *s);
986int ssl3_get_client_certificate(SSL *s); 1012int ssl3_get_client_certificate(SSL *s);
987int ssl3_get_client_key_exchange(SSL *s); 1013int ssl3_get_client_key_exchange(SSL *s);
988int ssl3_get_cert_verify(SSL *s); 1014int ssl3_get_cert_verify(SSL *s);
1015#ifndef OPENSSL_NO_NEXTPROTONEG
1016int ssl3_get_next_proto(SSL *s);
1017#endif
989 1018
990int dtls1_send_hello_request(SSL *s); 1019int dtls1_send_hello_request(SSL *s);
991int dtls1_send_server_hello(SSL *s); 1020int dtls1_send_server_hello(SSL *s);
@@ -1013,6 +1042,7 @@ int dtls1_connect(SSL *s);
1013void dtls1_free(SSL *s); 1042void dtls1_free(SSL *s);
1014void dtls1_clear(SSL *s); 1043void dtls1_clear(SSL *s);
1015long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg); 1044long dtls1_ctrl(SSL *s,int cmd, long larg, void *parg);
1045int dtls1_shutdown(SSL *s);
1016 1046
1017long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); 1047long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
1018int dtls1_get_record(SSL *s); 1048int dtls1_get_record(SSL *s);
@@ -1033,12 +1063,15 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
1033int tls1_mac(SSL *ssl, unsigned char *md, int snd); 1063int tls1_mac(SSL *ssl, unsigned char *md, int snd);
1034int tls1_generate_master_secret(SSL *s, unsigned char *out, 1064int tls1_generate_master_secret(SSL *s, unsigned char *out,
1035 unsigned char *p, int len); 1065 unsigned char *p, int len);
1066int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1067 const char *label, size_t llen,
1068 const unsigned char *p, size_t plen, int use_context);
1036int tls1_alert_code(int code); 1069int tls1_alert_code(int code);
1037int ssl3_alert_code(int code); 1070int ssl3_alert_code(int code);
1038int ssl_ok(SSL *s); 1071int ssl_ok(SSL *s);
1039 1072
1040#ifndef OPENSSL_NO_ECDH 1073#ifndef OPENSSL_NO_ECDH
1041int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs); 1074int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
1042#endif 1075#endif
1043 1076
1044SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); 1077SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
@@ -1058,6 +1091,13 @@ int ssl_prepare_serverhello_tlsext(SSL *s);
1058int ssl_check_clienthello_tlsext(SSL *s); 1091int ssl_check_clienthello_tlsext(SSL *s);
1059int ssl_check_serverhello_tlsext(SSL *s); 1092int ssl_check_serverhello_tlsext(SSL *s);
1060 1093
1094#ifndef OPENSSL_NO_HEARTBEATS
1095int tls1_heartbeat(SSL *s);
1096int dtls1_heartbeat(SSL *s);
1097int tls1_process_heartbeat(SSL *s);
1098int dtls1_process_heartbeat(SSL *s);
1099#endif
1100
1061#ifdef OPENSSL_NO_SHA256 1101#ifdef OPENSSL_NO_SHA256
1062#define tlsext_tick_md EVP_sha1 1102#define tlsext_tick_md EVP_sha1
1063#else 1103#else
@@ -1065,6 +1105,12 @@ int ssl_check_serverhello_tlsext(SSL *s);
1065#endif 1105#endif
1066int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 1106int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1067 const unsigned char *limit, SSL_SESSION **ret); 1107 const unsigned char *limit, SSL_SESSION **ret);
1108
1109int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
1110 const EVP_MD *md);
1111int tls12_get_sigid(const EVP_PKEY *pk);
1112const EVP_MD *tls12_get_hash(unsigned char hash_alg);
1113
1068#endif 1114#endif
1069EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ; 1115EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
1070void ssl_clear_hash_ctx(EVP_MD_CTX **hash); 1116void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
@@ -1076,4 +1122,13 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
1076 int maxlen); 1122 int maxlen);
1077int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, 1123int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len,
1078 int *al); 1124 int *al);
1125long ssl_get_algorithm2(SSL *s);
1126int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
1127int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
1128
1129int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1130int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1131int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1132int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1133
1079#endif 1134#endif
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 8e5d8a0972..ad40fadd02 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -218,6 +218,9 @@ SSL_SESSION *SSL_SESSION_new(void)
218 ss->psk_identity_hint=NULL; 218 ss->psk_identity_hint=NULL;
219 ss->psk_identity=NULL; 219 ss->psk_identity=NULL;
220#endif 220#endif
221#ifndef OPENSSL_NO_SRP
222 ss->srp_username=NULL;
223#endif
221 return(ss); 224 return(ss);
222 } 225 }
223 226
@@ -228,6 +231,11 @@ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
228 return s->session_id; 231 return s->session_id;
229 } 232 }
230 233
234unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s)
235 {
236 return s->compress_meth;
237 }
238
231/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1 239/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
232 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly 240 * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
233 * until we have no conflict is going to complete in one iteration pretty much 241 * until we have no conflict is going to complete in one iteration pretty much
@@ -300,6 +308,16 @@ int ssl_get_new_session(SSL *s, int session)
300 ss->ssl_version=TLS1_VERSION; 308 ss->ssl_version=TLS1_VERSION;
301 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; 309 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
302 } 310 }
311 else if (s->version == TLS1_1_VERSION)
312 {
313 ss->ssl_version=TLS1_1_VERSION;
314 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
315 }
316 else if (s->version == TLS1_2_VERSION)
317 {
318 ss->ssl_version=TLS1_2_VERSION;
319 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
320 }
303 else if (s->version == DTLS1_BAD_VER) 321 else if (s->version == DTLS1_BAD_VER)
304 { 322 {
305 ss->ssl_version=DTLS1_BAD_VER; 323 ss->ssl_version=DTLS1_BAD_VER;
@@ -423,6 +441,25 @@ int ssl_get_new_session(SSL *s, int session)
423 return(1); 441 return(1);
424 } 442 }
425 443
444/* ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
445 * connection. It is only called by servers.
446 *
447 * session_id: points at the session ID in the ClientHello. This code will
448 * read past the end of this in order to parse out the session ticket
449 * extension, if any.
450 * len: the length of the session ID.
451 * limit: a pointer to the first byte after the ClientHello.
452 *
453 * Returns:
454 * -1: error
455 * 0: a session may have been found.
456 *
457 * Side effects:
458 * - If a session is found then s->session is pointed at it (after freeing an
459 * existing session if need be) and s->verify_result is set from the session.
460 * - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
461 * if the server should issue a new session ticket (to 0 otherwise).
462 */
426int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, 463int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
427 const unsigned char *limit) 464 const unsigned char *limit)
428 { 465 {
@@ -430,27 +467,39 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
430 467
431 SSL_SESSION *ret=NULL; 468 SSL_SESSION *ret=NULL;
432 int fatal = 0; 469 int fatal = 0;
470 int try_session_cache = 1;
433#ifndef OPENSSL_NO_TLSEXT 471#ifndef OPENSSL_NO_TLSEXT
434 int r; 472 int r;
435#endif 473#endif
436 474
437 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) 475 if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
438 goto err; 476 goto err;
477
478 if (len == 0)
479 try_session_cache = 0;
480
439#ifndef OPENSSL_NO_TLSEXT 481#ifndef OPENSSL_NO_TLSEXT
440 r = tls1_process_ticket(s, session_id, len, limit, &ret); 482 r = tls1_process_ticket(s, session_id, len, limit, &ret); /* sets s->tlsext_ticket_expected */
441 if (r == -1) 483 switch (r)
442 { 484 {
485 case -1: /* Error during processing */
443 fatal = 1; 486 fatal = 1;
444 goto err; 487 goto err;
488 case 0: /* No ticket found */
489 case 1: /* Zero length ticket found */
490 break; /* Ok to carry on processing session id. */
491 case 2: /* Ticket found but not decrypted. */
492 case 3: /* Ticket decrypted, *ret has been set. */
493 try_session_cache = 0;
494 break;
495 default:
496 abort();
445 } 497 }
446 else if (r == 0 || (!ret && !len))
447 goto err;
448 else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
449#else
450 if (len == 0)
451 goto err;
452 if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
453#endif 498#endif
499
500 if (try_session_cache &&
501 ret == NULL &&
502 !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
454 { 503 {
455 SSL_SESSION data; 504 SSL_SESSION data;
456 data.ssl_version=s->version; 505 data.ssl_version=s->version;
@@ -461,20 +510,22 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
461 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); 510 CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
462 ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data); 511 ret=lh_SSL_SESSION_retrieve(s->session_ctx->sessions,&data);
463 if (ret != NULL) 512 if (ret != NULL)
464 /* don't allow other threads to steal it: */ 513 {
465 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); 514 /* don't allow other threads to steal it: */
515 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
516 }
466 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); 517 CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
518 if (ret == NULL)
519 s->session_ctx->stats.sess_miss++;
467 } 520 }
468 521
469 if (ret == NULL) 522 if (try_session_cache &&
523 ret == NULL &&
524 s->session_ctx->get_session_cb != NULL)
470 { 525 {
471 int copy=1; 526 int copy=1;
472 527
473 s->session_ctx->stats.sess_miss++; 528 if ((ret=s->session_ctx->get_session_cb(s,session_id,len,&copy)))
474 ret=NULL;
475 if (s->session_ctx->get_session_cb != NULL
476 && (ret=s->session_ctx->get_session_cb(s,session_id,len,&copy))
477 != NULL)
478 { 529 {
479 s->session_ctx->stats.sess_cb_hit++; 530 s->session_ctx->stats.sess_cb_hit++;
480 531
@@ -493,23 +544,18 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
493 * things are very strange */ 544 * things are very strange */
494 SSL_CTX_add_session(s->session_ctx,ret); 545 SSL_CTX_add_session(s->session_ctx,ret);
495 } 546 }
496 if (ret == NULL)
497 goto err;
498 } 547 }
499 548
500 /* Now ret is non-NULL, and we own one of its reference counts. */ 549 if (ret == NULL)
550 goto err;
551
552 /* Now ret is non-NULL and we own one of its reference counts. */
501 553
502 if (ret->sid_ctx_length != s->sid_ctx_length 554 if (ret->sid_ctx_length != s->sid_ctx_length
503 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)) 555 || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
504 { 556 {
505 /* We've found the session named by the client, but we don't 557 /* We have the session requested by the client, but we don't
506 * want to use it in this context. */ 558 * want to use it in this context. */
507
508#if 0 /* The client cannot always know when a session is not appropriate,
509 * so we shouldn't generate an error message. */
510
511 SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
512#endif
513 goto err; /* treat like cache miss */ 559 goto err; /* treat like cache miss */
514 } 560 }
515 561
@@ -546,39 +592,38 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
546 goto err; 592 goto err;
547 } 593 }
548 594
549
550#if 0 /* This is way too late. */
551
552 /* If a thread got the session, then 'swaped', and another got
553 * it and then due to a time-out decided to 'OPENSSL_free' it we could
554 * be in trouble. So I'll increment it now, then double decrement
555 * later - am I speaking rubbish?. */
556 CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
557#endif
558
559 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ 595 if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
560 { 596 {
561 s->session_ctx->stats.sess_timeout++; 597 s->session_ctx->stats.sess_timeout++;
562 /* remove it from the cache */ 598 if (try_session_cache)
563 SSL_CTX_remove_session(s->session_ctx,ret); 599 {
600 /* session was from the cache, so remove it */
601 SSL_CTX_remove_session(s->session_ctx,ret);
602 }
564 goto err; 603 goto err;
565 } 604 }
566 605
567 s->session_ctx->stats.sess_hit++; 606 s->session_ctx->stats.sess_hit++;
568 607
569 /* ret->time=time(NULL); */ /* rezero timeout? */
570 /* again, just leave the session
571 * if it is the same session, we have just incremented and
572 * then decremented the reference count :-) */
573 if (s->session != NULL) 608 if (s->session != NULL)
574 SSL_SESSION_free(s->session); 609 SSL_SESSION_free(s->session);
575 s->session=ret; 610 s->session=ret;
576 s->verify_result = s->session->verify_result; 611 s->verify_result = s->session->verify_result;
577 return(1); 612 return 1;
578 613
579 err: 614 err:
580 if (ret != NULL) 615 if (ret != NULL)
616 {
581 SSL_SESSION_free(ret); 617 SSL_SESSION_free(ret);
618#ifndef OPENSSL_NO_TLSEXT
619 if (!try_session_cache)
620 {
621 /* The session was from a ticket, so we should
622 * issue a ticket for the new session */
623 s->tlsext_ticket_expected = 1;
624 }
625#endif
626 }
582 if (fatal) 627 if (fatal)
583 return -1; 628 return -1;
584 else 629 else
@@ -729,6 +774,10 @@ void SSL_SESSION_free(SSL_SESSION *ss)
729 if (ss->psk_identity != NULL) 774 if (ss->psk_identity != NULL)
730 OPENSSL_free(ss->psk_identity); 775 OPENSSL_free(ss->psk_identity);
731#endif 776#endif
777#ifndef OPENSSL_NO_SRP
778 if (ss->srp_username != NULL)
779 OPENSSL_free(ss->srp_username);
780#endif
732 OPENSSL_cleanse(ss,sizeof(*ss)); 781 OPENSSL_cleanse(ss,sizeof(*ss));
733 OPENSSL_free(ss); 782 OPENSSL_free(ss);
734 } 783 }
@@ -753,10 +802,6 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
753 { 802 {
754 if (!SSL_set_ssl_method(s,meth)) 803 if (!SSL_set_ssl_method(s,meth))
755 return(0); 804 return(0);
756 if (s->ctx->session_timeout == 0)
757 session->timeout=SSL_get_default_timeout(s);
758 else
759 session->timeout=s->ctx->session_timeout;
760 } 805 }
761 806
762#ifndef OPENSSL_NO_KRB5 807#ifndef OPENSSL_NO_KRB5
@@ -824,6 +869,25 @@ long SSL_SESSION_set_time(SSL_SESSION *s, long t)
824 return(t); 869 return(t);
825 } 870 }
826 871
872X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
873 {
874 return s->peer;
875 }
876
877int SSL_SESSION_set1_id_context(SSL_SESSION *s,const unsigned char *sid_ctx,
878 unsigned int sid_ctx_len)
879 {
880 if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
881 {
882 SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
883 return 0;
884 }
885 s->sid_ctx_length=sid_ctx_len;
886 memcpy(s->sid_ctx,sid_ctx,sid_ctx_len);
887
888 return 1;
889 }
890
827long SSL_CTX_set_timeout(SSL_CTX *s, long t) 891long SSL_CTX_set_timeout(SSL_CTX *s, long t)
828 { 892 {
829 long l; 893 long l;
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 3122440e26..6479d52c0c 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -115,6 +115,10 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
115 s="SSLv2"; 115 s="SSLv2";
116 else if (x->ssl_version == SSL3_VERSION) 116 else if (x->ssl_version == SSL3_VERSION)
117 s="SSLv3"; 117 s="SSLv3";
118 else if (x->ssl_version == TLS1_2_VERSION)
119 s="TLSv1.2";
120 else if (x->ssl_version == TLS1_1_VERSION)
121 s="TLSv1.1";
118 else if (x->ssl_version == TLS1_VERSION) 122 else if (x->ssl_version == TLS1_VERSION)
119 s="TLSv1"; 123 s="TLSv1";
120 else if (x->ssl_version == DTLS1_VERSION) 124 else if (x->ssl_version == DTLS1_VERSION)
@@ -187,6 +191,10 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
187 if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err; 191 if (BIO_puts(bp,"\n PSK identity hint: ") <= 0) goto err;
188 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err; 192 if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0) goto err;
189#endif 193#endif
194#ifndef OPENSSL_NO_SRP
195 if (BIO_puts(bp,"\n SRP username: ") <= 0) goto err;
196 if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0) goto err;
197#endif
190#ifndef OPENSSL_NO_TLSEXT 198#ifndef OPENSSL_NO_TLSEXT
191 if (x->tlsext_tick_lifetime_hint) 199 if (x->tlsext_tick_lifetime_hint)
192 { 200 {
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index c87af17712..578617ed84 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -66,13 +66,26 @@
66static const SSL_METHOD *tls1_get_client_method(int ver); 66static const SSL_METHOD *tls1_get_client_method(int ver);
67static const SSL_METHOD *tls1_get_client_method(int ver) 67static const SSL_METHOD *tls1_get_client_method(int ver)
68 { 68 {
69 if (ver == TLS1_2_VERSION)
70 return TLSv1_2_client_method();
71 if (ver == TLS1_1_VERSION)
72 return TLSv1_1_client_method();
69 if (ver == TLS1_VERSION) 73 if (ver == TLS1_VERSION)
70 return(TLSv1_client_method()); 74 return TLSv1_client_method();
71 else 75 return NULL;
72 return(NULL);
73 } 76 }
74 77
75IMPLEMENT_tls1_meth_func(TLSv1_client_method, 78IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method,
79 ssl_undefined_function,
80 ssl3_connect,
81 tls1_get_client_method)
82
83IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method,
84 ssl_undefined_function,
85 ssl3_connect,
86 tls1_get_client_method)
87
88IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method,
76 ssl_undefined_function, 89 ssl_undefined_function,
77 ssl3_connect, 90 ssl3_connect,
78 tls1_get_client_method) 91 tls1_get_client_method)
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 793ea43e90..f7bdeb3b9d 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -143,6 +143,7 @@
143#include <openssl/evp.h> 143#include <openssl/evp.h>
144#include <openssl/hmac.h> 144#include <openssl/hmac.h>
145#include <openssl/md5.h> 145#include <openssl/md5.h>
146#include <openssl/rand.h>
146#ifdef KSSL_DEBUG 147#ifdef KSSL_DEBUG
147#include <openssl/des.h> 148#include <openssl/des.h>
148#endif 149#endif
@@ -158,68 +159,75 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
158 unsigned char *out, int olen) 159 unsigned char *out, int olen)
159 { 160 {
160 int chunk; 161 int chunk;
161 unsigned int j; 162 size_t j;
162 HMAC_CTX ctx; 163 EVP_MD_CTX ctx, ctx_tmp;
163 HMAC_CTX ctx_tmp; 164 EVP_PKEY *mac_key;
164 unsigned char A1[EVP_MAX_MD_SIZE]; 165 unsigned char A1[EVP_MAX_MD_SIZE];
165 unsigned int A1_len; 166 size_t A1_len;
166 int ret = 0; 167 int ret = 0;
167 168
168 chunk=EVP_MD_size(md); 169 chunk=EVP_MD_size(md);
169 OPENSSL_assert(chunk >= 0); 170 OPENSSL_assert(chunk >= 0);
170 171
171 HMAC_CTX_init(&ctx); 172 EVP_MD_CTX_init(&ctx);
172 HMAC_CTX_init(&ctx_tmp); 173 EVP_MD_CTX_init(&ctx_tmp);
173 if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL)) 174 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
175 EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
176 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
177 if (!mac_key)
178 goto err;
179 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
174 goto err; 180 goto err;
175 if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL)) 181 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
176 goto err; 182 goto err;
177 if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len)) 183 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
178 goto err; 184 goto err;
179 if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len)) 185 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
180 goto err; 186 goto err;
181 if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len)) 187 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
182 goto err; 188 goto err;
183 if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len)) 189 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
184 goto err; 190 goto err;
185 if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len)) 191 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
186 goto err; 192 goto err;
187 if (!HMAC_Final(&ctx,A1,&A1_len)) 193 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
188 goto err; 194 goto err;
189 195
190 for (;;) 196 for (;;)
191 { 197 {
192 if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */ 198 /* Reinit mac contexts */
199 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
193 goto err; 200 goto err;
194 if (!HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL)) /* re-init */ 201 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
195 goto err; 202 goto err;
196 if (!HMAC_Update(&ctx,A1,A1_len)) 203 if (!EVP_DigestSignUpdate(&ctx,A1,A1_len))
197 goto err; 204 goto err;
198 if (!HMAC_Update(&ctx_tmp,A1,A1_len)) 205 if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len))
199 goto err; 206 goto err;
200 if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len)) 207 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
201 goto err; 208 goto err;
202 if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len)) 209 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
203 goto err; 210 goto err;
204 if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len)) 211 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
205 goto err; 212 goto err;
206 if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len)) 213 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
207 goto err; 214 goto err;
208 if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len)) 215 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
209 goto err; 216 goto err;
210 217
211 if (olen > chunk) 218 if (olen > chunk)
212 { 219 {
213 if (!HMAC_Final(&ctx,out,&j)) 220 if (!EVP_DigestSignFinal(&ctx,out,&j))
214 goto err; 221 goto err;
215 out+=j; 222 out+=j;
216 olen-=j; 223 olen-=j;
217 if (!HMAC_Final(&ctx_tmp,A1,&A1_len)) /* calc the next A1 value */ 224 /* calc the next A1 value */
225 if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len))
218 goto err; 226 goto err;
219 } 227 }
220 else /* last one */ 228 else /* last one */
221 { 229 {
222 if (!HMAC_Final(&ctx,A1,&A1_len)) 230 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
223 goto err; 231 goto err;
224 memcpy(out,A1,olen); 232 memcpy(out,A1,olen);
225 break; 233 break;
@@ -227,8 +235,9 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
227 } 235 }
228 ret = 1; 236 ret = 1;
229err: 237err:
230 HMAC_CTX_cleanup(&ctx); 238 EVP_PKEY_free(mac_key);
231 HMAC_CTX_cleanup(&ctx_tmp); 239 EVP_MD_CTX_cleanup(&ctx);
240 EVP_MD_CTX_cleanup(&ctx_tmp);
232 OPENSSL_cleanse(A1,sizeof(A1)); 241 OPENSSL_cleanse(A1,sizeof(A1));
233 return ret; 242 return ret;
234 } 243 }
@@ -256,6 +265,8 @@ static int tls1_PRF(long digest_mask,
256 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++; 265 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++;
257 } 266 }
258 len=slen/count; 267 len=slen/count;
268 if (count == 1)
269 slen = 0;
259 S1=sec; 270 S1=sec;
260 memset(out1,0,olen); 271 memset(out1,0,olen);
261 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { 272 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
@@ -284,7 +295,7 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
284 unsigned char *tmp, int num) 295 unsigned char *tmp, int num)
285 { 296 {
286 int ret; 297 int ret;
287 ret = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 298 ret = tls1_PRF(ssl_get_algorithm2(s),
288 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, 299 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
289 s->s3->server_random,SSL3_RANDOM_SIZE, 300 s->s3->server_random,SSL3_RANDOM_SIZE,
290 s->s3->client_random,SSL3_RANDOM_SIZE, 301 s->s3->client_random,SSL3_RANDOM_SIZE,
@@ -358,7 +369,7 @@ int tls1_change_cipher_state(SSL *s, int which)
358 { 369 {
359 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 370 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
360 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 371 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
361 else 372 else
362 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 373 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
363 374
364 if (s->enc_read_ctx != NULL) 375 if (s->enc_read_ctx != NULL)
@@ -445,7 +456,11 @@ int tls1_change_cipher_state(SSL *s, int which)
445 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 456 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
446 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 457 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
447 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 458 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
448 k=EVP_CIPHER_iv_length(c); 459 /* If GCM mode only part of IV comes from PRF */
460 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
461 k = EVP_GCM_TLS_FIXED_IV_LEN;
462 else
463 k=EVP_CIPHER_iv_length(c);
449 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 464 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
450 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 465 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
451 { 466 {
@@ -474,10 +489,14 @@ int tls1_change_cipher_state(SSL *s, int which)
474 } 489 }
475 490
476 memcpy(mac_secret,ms,i); 491 memcpy(mac_secret,ms,i);
477 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 492
478 mac_secret,*mac_secret_size); 493 if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER))
479 EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); 494 {
480 EVP_PKEY_free(mac_key); 495 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
496 mac_secret,*mac_secret_size);
497 EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
498 EVP_PKEY_free(mac_key);
499 }
481#ifdef TLS_DEBUG 500#ifdef TLS_DEBUG
482printf("which = %04X\nmac key=",which); 501printf("which = %04X\nmac key=",which);
483{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 502{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
@@ -487,7 +506,7 @@ printf("which = %04X\nmac key=",which);
487 /* In here I set both the read and write key/iv to the 506 /* In here I set both the read and write key/iv to the
488 * same value since only the correct one will be used :-). 507 * same value since only the correct one will be used :-).
489 */ 508 */
490 if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 509 if (!tls1_PRF(ssl_get_algorithm2(s),
491 exp_label,exp_label_len, 510 exp_label,exp_label_len,
492 s->s3->client_random,SSL3_RANDOM_SIZE, 511 s->s3->client_random,SSL3_RANDOM_SIZE,
493 s->s3->server_random,SSL3_RANDOM_SIZE, 512 s->s3->server_random,SSL3_RANDOM_SIZE,
@@ -498,7 +517,7 @@ printf("which = %04X\nmac key=",which);
498 517
499 if (k > 0) 518 if (k > 0)
500 { 519 {
501 if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 520 if (!tls1_PRF(ssl_get_algorithm2(s),
502 TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, 521 TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
503 s->s3->client_random,SSL3_RANDOM_SIZE, 522 s->s3->client_random,SSL3_RANDOM_SIZE,
504 s->s3->server_random,SSL3_RANDOM_SIZE, 523 s->s3->server_random,SSL3_RANDOM_SIZE,
@@ -524,7 +543,19 @@ printf("which = %04X\nmac key=",which);
524 } 543 }
525#endif /* KSSL_DEBUG */ 544#endif /* KSSL_DEBUG */
526 545
527 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); 546 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
547 {
548 EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
549 EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
550 }
551 else
552 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
553
554 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
555 if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
556 EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY,
557 *mac_secret_size,mac_secret);
558
528#ifdef TLS_DEBUG 559#ifdef TLS_DEBUG
529printf("which = %04X\nkey=",which); 560printf("which = %04X\nkey=",which);
530{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 561{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
@@ -606,7 +637,8 @@ printf("\nkey block\n");
606{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 637{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
607#endif 638#endif
608 639
609 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 640 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
641 && s->method->version <= TLS1_VERSION)
610 { 642 {
611 /* enable vulnerability countermeasure for CBC ciphers with 643 /* enable vulnerability countermeasure for CBC ciphers with
612 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 644 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
@@ -640,14 +672,14 @@ int tls1_enc(SSL *s, int send)
640 SSL3_RECORD *rec; 672 SSL3_RECORD *rec;
641 EVP_CIPHER_CTX *ds; 673 EVP_CIPHER_CTX *ds;
642 unsigned long l; 674 unsigned long l;
643 int bs,i,ii,j,k,n=0; 675 int bs,i,ii,j,k,pad=0;
644 const EVP_CIPHER *enc; 676 const EVP_CIPHER *enc;
645 677
646 if (send) 678 if (send)
647 { 679 {
648 if (EVP_MD_CTX_md(s->write_hash)) 680 if (EVP_MD_CTX_md(s->write_hash))
649 { 681 {
650 n=EVP_MD_CTX_size(s->write_hash); 682 int n=EVP_MD_CTX_size(s->write_hash);
651 OPENSSL_assert(n >= 0); 683 OPENSSL_assert(n >= 0);
652 } 684 }
653 ds=s->enc_write_ctx; 685 ds=s->enc_write_ctx;
@@ -655,13 +687,34 @@ int tls1_enc(SSL *s, int send)
655 if (s->enc_write_ctx == NULL) 687 if (s->enc_write_ctx == NULL)
656 enc=NULL; 688 enc=NULL;
657 else 689 else
690 {
691 int ivlen;
658 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 692 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
693 /* For TLSv1.1 and later explicit IV */
694 if (s->version >= TLS1_1_VERSION
695 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
696 ivlen = EVP_CIPHER_iv_length(enc);
697 else
698 ivlen = 0;
699 if (ivlen > 1)
700 {
701 if ( rec->data != rec->input)
702 /* we can't write into the input stream:
703 * Can this ever happen?? (steve)
704 */
705 fprintf(stderr,
706 "%s:%d: rec->data != rec->input\n",
707 __FILE__, __LINE__);
708 else if (RAND_bytes(rec->input, ivlen) <= 0)
709 return -1;
710 }
711 }
659 } 712 }
660 else 713 else
661 { 714 {
662 if (EVP_MD_CTX_md(s->read_hash)) 715 if (EVP_MD_CTX_md(s->read_hash))
663 { 716 {
664 n=EVP_MD_CTX_size(s->read_hash); 717 int n=EVP_MD_CTX_size(s->read_hash);
665 OPENSSL_assert(n >= 0); 718 OPENSSL_assert(n >= 0);
666 } 719 }
667 ds=s->enc_read_ctx; 720 ds=s->enc_read_ctx;
@@ -687,7 +740,43 @@ int tls1_enc(SSL *s, int send)
687 l=rec->length; 740 l=rec->length;
688 bs=EVP_CIPHER_block_size(ds->cipher); 741 bs=EVP_CIPHER_block_size(ds->cipher);
689 742
690 if ((bs != 1) && send) 743 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
744 {
745 unsigned char buf[13],*seq;
746
747 seq = send?s->s3->write_sequence:s->s3->read_sequence;
748
749 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
750 {
751 unsigned char dtlsseq[9],*p=dtlsseq;
752
753 s2n(send?s->d1->w_epoch:s->d1->r_epoch,p);
754 memcpy(p,&seq[2],6);
755 memcpy(buf,dtlsseq,8);
756 }
757 else
758 {
759 memcpy(buf,seq,8);
760 for (i=7; i>=0; i--) /* increment */
761 {
762 ++seq[i];
763 if (seq[i] != 0) break;
764 }
765 }
766
767 buf[8]=rec->type;
768 buf[9]=(unsigned char)(s->version>>8);
769 buf[10]=(unsigned char)(s->version);
770 buf[11]=rec->length>>8;
771 buf[12]=rec->length&0xff;
772 pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
773 if (send)
774 {
775 l+=pad;
776 rec->length+=pad;
777 }
778 }
779 else if ((bs != 1) && send)
691 { 780 {
692 i=bs-((int)l%bs); 781 i=bs-((int)l%bs);
693 782
@@ -728,13 +817,25 @@ int tls1_enc(SSL *s, int send)
728 { 817 {
729 if (l == 0 || l%bs != 0) 818 if (l == 0 || l%bs != 0)
730 { 819 {
820 if (s->version >= TLS1_1_VERSION)
821 return -1;
731 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 822 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
732 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 823 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
733 return 0; 824 return 0;
734 } 825 }
735 } 826 }
736 827
737 EVP_Cipher(ds,rec->data,rec->input,l); 828 i = EVP_Cipher(ds,rec->data,rec->input,l);
829 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER)
830 ?(i<0)
831 :(i==0))
832 return -1; /* AEAD can fail to verify MAC */
833 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send)
834 {
835 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
836 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
837 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
838 }
738 839
739#ifdef KSSL_DEBUG 840#ifdef KSSL_DEBUG
740 { 841 {
@@ -784,8 +885,19 @@ int tls1_enc(SSL *s, int send)
784 return -1; 885 return -1;
785 } 886 }
786 } 887 }
787 rec->length-=i; 888 rec->length -=i;
889 if (s->version >= TLS1_1_VERSION
890 && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
891 {
892 if (bs > (int)rec->length)
893 return -1;
894 rec->data += bs; /* skip the explicit IV */
895 rec->input += bs;
896 rec->length -= bs;
897 }
788 } 898 }
899 if (pad && !send)
900 rec->length -= pad;
789 } 901 }
790 return(1); 902 return(1);
791 } 903 }
@@ -841,7 +953,7 @@ int tls1_final_finish_mac(SSL *s,
841 953
842 for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) 954 for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
843 { 955 {
844 if (mask & s->s3->tmp.new_cipher->algorithm2) 956 if (mask & ssl_get_algorithm2(s))
845 { 957 {
846 int hashsize = EVP_MD_size(md); 958 int hashsize = EVP_MD_size(md);
847 if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 959 if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
@@ -860,7 +972,7 @@ int tls1_final_finish_mac(SSL *s,
860 } 972 }
861 } 973 }
862 974
863 if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 975 if (!tls1_PRF(ssl_get_algorithm2(s),
864 str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, 976 str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
865 s->session->master_key,s->session->master_key_length, 977 s->session->master_key,s->session->master_key_length,
866 out,buf2,sizeof buf2)) 978 out,buf2,sizeof buf2))
@@ -970,6 +1082,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
970 const void *co = NULL, *so = NULL; 1082 const void *co = NULL, *so = NULL;
971 int col = 0, sol = 0; 1083 int col = 0, sol = 0;
972 1084
1085
973#ifdef KSSL_DEBUG 1086#ifdef KSSL_DEBUG
974 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 1087 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
975#endif /* KSSL_DEBUG */ 1088#endif /* KSSL_DEBUG */
@@ -986,7 +1099,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
986 } 1099 }
987#endif 1100#endif
988 1101
989 tls1_PRF(s->s3->tmp.new_cipher->algorithm2, 1102 tls1_PRF(ssl_get_algorithm2(s),
990 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, 1103 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE,
991 s->s3->client_random,SSL3_RANDOM_SIZE, 1104 s->s3->client_random,SSL3_RANDOM_SIZE,
992 co, col, 1105 co, col,
@@ -994,6 +1107,16 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
994 so, sol, 1107 so, sol,
995 p,len, 1108 p,len,
996 s->session->master_key,buff,sizeof buff); 1109 s->session->master_key,buff,sizeof buff);
1110#ifdef SSL_DEBUG
1111 fprintf(stderr, "Premaster Secret:\n");
1112 BIO_dump_fp(stderr, (char *)p, len);
1113 fprintf(stderr, "Client Random:\n");
1114 BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
1115 fprintf(stderr, "Server Random:\n");
1116 BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
1117 fprintf(stderr, "Master Secret:\n");
1118 BIO_dump_fp(stderr, (char *)s->session->master_key, SSL3_MASTER_SECRET_SIZE);
1119#endif
997 1120
998#ifdef KSSL_DEBUG 1121#ifdef KSSL_DEBUG
999 printf ("tls1_generate_master_secret() complete\n"); 1122 printf ("tls1_generate_master_secret() complete\n");
@@ -1001,6 +1124,95 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1001 return(SSL3_MASTER_SECRET_SIZE); 1124 return(SSL3_MASTER_SECRET_SIZE);
1002 } 1125 }
1003 1126
1127int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
1128 const char *label, size_t llen, const unsigned char *context,
1129 size_t contextlen, int use_context)
1130 {
1131 unsigned char *buff;
1132 unsigned char *val = NULL;
1133 size_t vallen, currentvalpos;
1134 int rv;
1135
1136#ifdef KSSL_DEBUG
1137 printf ("tls1_export_keying_material(%p,%p,%d,%s,%d,%p,%d)\n", s, out, olen, label, llen, p, plen);
1138#endif /* KSSL_DEBUG */
1139
1140 buff = OPENSSL_malloc(olen);
1141 if (buff == NULL) goto err2;
1142
1143 /* construct PRF arguments
1144 * we construct the PRF argument ourself rather than passing separate
1145 * values into the TLS PRF to ensure that the concatenation of values
1146 * does not create a prohibited label.
1147 */
1148 vallen = llen + SSL3_RANDOM_SIZE * 2;
1149 if (use_context)
1150 {
1151 vallen += 2 + contextlen;
1152 }
1153
1154 val = OPENSSL_malloc(vallen);
1155 if (val == NULL) goto err2;
1156 currentvalpos = 0;
1157 memcpy(val + currentvalpos, (unsigned char *) label, llen);
1158 currentvalpos += llen;
1159 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
1160 currentvalpos += SSL3_RANDOM_SIZE;
1161 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
1162 currentvalpos += SSL3_RANDOM_SIZE;
1163
1164 if (use_context)
1165 {
1166 val[currentvalpos] = (contextlen >> 8) & 0xff;
1167 currentvalpos++;
1168 val[currentvalpos] = contextlen & 0xff;
1169 currentvalpos++;
1170 if ((contextlen > 0) || (context != NULL))
1171 {
1172 memcpy(val + currentvalpos, context, contextlen);
1173 }
1174 }
1175
1176 /* disallow prohibited labels
1177 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
1178 * 15, so size of val > max(prohibited label len) = 15 and the
1179 * comparisons won't have buffer overflow
1180 */
1181 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
1182 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1;
1183 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
1184 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1;
1185 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
1186 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1;
1187 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
1188 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1;
1189
1190 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
1191 val, vallen,
1192 NULL, 0,
1193 NULL, 0,
1194 NULL, 0,
1195 NULL, 0,
1196 s->session->master_key,s->session->master_key_length,
1197 out,buff,olen);
1198
1199#ifdef KSSL_DEBUG
1200 printf ("tls1_export_keying_material() complete\n");
1201#endif /* KSSL_DEBUG */
1202 goto ret;
1203err1:
1204 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
1205 rv = 0;
1206 goto ret;
1207err2:
1208 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
1209 rv = 0;
1210ret:
1211 if (buff != NULL) OPENSSL_free(buff);
1212 if (val != NULL) OPENSSL_free(val);
1213 return(rv);
1214 }
1215
1004int tls1_alert_code(int code) 1216int tls1_alert_code(int code)
1005 { 1217 {
1006 switch (code) 1218 switch (code)
@@ -1042,4 +1254,3 @@ int tls1_alert_code(int code)
1042 default: return(-1); 1254 default: return(-1);
1043 } 1255 }
1044 } 1256 }
1045
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 26cbae449e..27c8e3460d 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -114,6 +114,7 @@
114#include <openssl/evp.h> 114#include <openssl/evp.h>
115#include <openssl/hmac.h> 115#include <openssl/hmac.h>
116#include <openssl/ocsp.h> 116#include <openssl/ocsp.h>
117#include <openssl/rand.h>
117#include "ssl_locl.h" 118#include "ssl_locl.h"
118 119
119const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; 120const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
@@ -136,6 +137,7 @@ SSL3_ENC_METHOD TLSv1_enc_data={
136 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, 137 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
137 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, 138 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
138 tls1_alert_code, 139 tls1_alert_code,
140 tls1_export_keying_material,
139 }; 141 };
140 142
141long tls1_default_timeout(void) 143long tls1_default_timeout(void)
@@ -166,10 +168,11 @@ void tls1_free(SSL *s)
166void tls1_clear(SSL *s) 168void tls1_clear(SSL *s)
167 { 169 {
168 ssl3_clear(s); 170 ssl3_clear(s);
169 s->version=TLS1_VERSION; 171 s->version = s->method->version;
170 } 172 }
171 173
172#ifndef OPENSSL_NO_EC 174#ifndef OPENSSL_NO_EC
175
173static int nid_list[] = 176static int nid_list[] =
174 { 177 {
175 NID_sect163k1, /* sect163k1 (1) */ 178 NID_sect163k1, /* sect163k1 (1) */
@@ -198,7 +201,36 @@ static int nid_list[] =
198 NID_secp384r1, /* secp384r1 (24) */ 201 NID_secp384r1, /* secp384r1 (24) */
199 NID_secp521r1 /* secp521r1 (25) */ 202 NID_secp521r1 /* secp521r1 (25) */
200 }; 203 };
201 204
205static int pref_list[] =
206 {
207 NID_sect571r1, /* sect571r1 (14) */
208 NID_sect571k1, /* sect571k1 (13) */
209 NID_secp521r1, /* secp521r1 (25) */
210 NID_sect409k1, /* sect409k1 (11) */
211 NID_sect409r1, /* sect409r1 (12) */
212 NID_secp384r1, /* secp384r1 (24) */
213 NID_sect283k1, /* sect283k1 (9) */
214 NID_sect283r1, /* sect283r1 (10) */
215 NID_secp256k1, /* secp256k1 (22) */
216 NID_X9_62_prime256v1, /* secp256r1 (23) */
217 NID_sect239k1, /* sect239k1 (8) */
218 NID_sect233k1, /* sect233k1 (6) */
219 NID_sect233r1, /* sect233r1 (7) */
220 NID_secp224k1, /* secp224k1 (20) */
221 NID_secp224r1, /* secp224r1 (21) */
222 NID_sect193r1, /* sect193r1 (4) */
223 NID_sect193r2, /* sect193r2 (5) */
224 NID_secp192k1, /* secp192k1 (18) */
225 NID_X9_62_prime192v1, /* secp192r1 (19) */
226 NID_sect163k1, /* sect163k1 (1) */
227 NID_sect163r1, /* sect163r1 (2) */
228 NID_sect163r2, /* sect163r2 (3) */
229 NID_secp160k1, /* secp160k1 (15) */
230 NID_secp160r1, /* secp160r1 (16) */
231 NID_secp160r2, /* secp160r2 (17) */
232 };
233
202int tls1_ec_curve_id2nid(int curve_id) 234int tls1_ec_curve_id2nid(int curve_id)
203 { 235 {
204 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ 236 /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */
@@ -270,6 +302,64 @@ int tls1_ec_nid2curve_id(int nid)
270#endif /* OPENSSL_NO_EC */ 302#endif /* OPENSSL_NO_EC */
271 303
272#ifndef OPENSSL_NO_TLSEXT 304#ifndef OPENSSL_NO_TLSEXT
305
306/* List of supported signature algorithms and hashes. Should make this
307 * customisable at some point, for now include everything we support.
308 */
309
310#ifdef OPENSSL_NO_RSA
311#define tlsext_sigalg_rsa(md) /* */
312#else
313#define tlsext_sigalg_rsa(md) md, TLSEXT_signature_rsa,
314#endif
315
316#ifdef OPENSSL_NO_DSA
317#define tlsext_sigalg_dsa(md) /* */
318#else
319#define tlsext_sigalg_dsa(md) md, TLSEXT_signature_dsa,
320#endif
321
322#ifdef OPENSSL_NO_ECDSA
323#define tlsext_sigalg_ecdsa(md) /* */
324#else
325#define tlsext_sigalg_ecdsa(md) md, TLSEXT_signature_ecdsa,
326#endif
327
328#define tlsext_sigalg(md) \
329 tlsext_sigalg_rsa(md) \
330 tlsext_sigalg_dsa(md) \
331 tlsext_sigalg_ecdsa(md)
332
333static unsigned char tls12_sigalgs[] = {
334#ifndef OPENSSL_NO_SHA512
335 tlsext_sigalg(TLSEXT_hash_sha512)
336 tlsext_sigalg(TLSEXT_hash_sha384)
337#endif
338#ifndef OPENSSL_NO_SHA256
339 tlsext_sigalg(TLSEXT_hash_sha256)
340 tlsext_sigalg(TLSEXT_hash_sha224)
341#endif
342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348};
349
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 {
352 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p)
359 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen;
361 }
362
273unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) 363unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
274 { 364 {
275 int extdatalen=0; 365 int extdatalen=0;
@@ -317,7 +407,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
317 } 407 }
318 408
319 /* Add RI if renegotiating */ 409 /* Add RI if renegotiating */
320 if (s->new_session) 410 if (s->renegotiate)
321 { 411 {
322 int el; 412 int el;
323 413
@@ -341,6 +431,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
341 ret += el; 431 ret += el;
342 } 432 }
343 433
434#ifndef OPENSSL_NO_SRP
435 /* Add SRP username if there is one */
436 if (s->srp_ctx.login != NULL)
437 { /* Add TLS extension SRP username to the Client Hello message */
438
439 int login_len = strlen(s->srp_ctx.login);
440 if (login_len > 255 || login_len == 0)
441 {
442 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
443 return NULL;
444 }
445
446 /* check for enough space.
447 4 for the srp type type and entension length
448 1 for the srp user identity
449 + srp user identity length
450 */
451 if ((limit - ret - 5 - login_len) < 0) return NULL;
452
453 /* fill in the extension */
454 s2n(TLSEXT_TYPE_srp,ret);
455 s2n(login_len+1,ret);
456 (*ret++) = (unsigned char) login_len;
457 memcpy(ret, s->srp_ctx.login, login_len);
458 ret+=login_len;
459 }
460#endif
461
344#ifndef OPENSSL_NO_EC 462#ifndef OPENSSL_NO_EC
345 if (s->tlsext_ecpointformatlist != NULL && 463 if (s->tlsext_ecpointformatlist != NULL &&
346 s->version != DTLS1_VERSION) 464 s->version != DTLS1_VERSION)
@@ -426,6 +544,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
426 } 544 }
427 skip_ext: 545 skip_ext:
428 546
547 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
548 {
549 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
550 return NULL;
551 s2n(TLSEXT_TYPE_signature_algorithms,ret);
552 s2n(sizeof(tls12_sigalgs) + 2, ret);
553 s2n(sizeof(tls12_sigalgs), ret);
554 memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs));
555 ret += sizeof(tls12_sigalgs);
556 }
557
429#ifdef TLSEXT_TYPE_opaque_prf_input 558#ifdef TLSEXT_TYPE_opaque_prf_input
430 if (s->s3->client_opaque_prf_input != NULL && 559 if (s->s3->client_opaque_prf_input != NULL &&
431 s->version != DTLS1_VERSION) 560 s->version != DTLS1_VERSION)
@@ -494,6 +623,51 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
494 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); 623 i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
495 } 624 }
496 625
626#ifndef OPENSSL_NO_HEARTBEATS
627 /* Add Heartbeat extension */
628 s2n(TLSEXT_TYPE_heartbeat,ret);
629 s2n(1,ret);
630 /* Set mode:
631 * 1: peer may send requests
632 * 2: peer not allowed to send requests
633 */
634 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
635 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
636 else
637 *(ret++) = SSL_TLSEXT_HB_ENABLED;
638#endif
639
640#ifndef OPENSSL_NO_NEXTPROTONEG
641 if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len)
642 {
643 /* The client advertises an emtpy extension to indicate its
644 * support for Next Protocol Negotiation */
645 if (limit - ret - 4 < 0)
646 return NULL;
647 s2n(TLSEXT_TYPE_next_proto_neg,ret);
648 s2n(0,ret);
649 }
650#endif
651
652 if(SSL_get_srtp_profiles(s))
653 {
654 int el;
655
656 ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
657
658 if((limit - p - 4 - el) < 0) return NULL;
659
660 s2n(TLSEXT_TYPE_use_srtp,ret);
661 s2n(el,ret);
662
663 if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el))
664 {
665 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
666 return NULL;
667 }
668 ret += el;
669 }
670
497 if ((extdatalen = ret-p-2)== 0) 671 if ((extdatalen = ret-p-2)== 0)
498 return p; 672 return p;
499 673
@@ -505,6 +679,9 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
505 { 679 {
506 int extdatalen=0; 680 int extdatalen=0;
507 unsigned char *ret = p; 681 unsigned char *ret = p;
682#ifndef OPENSSL_NO_NEXTPROTONEG
683 int next_proto_neg_seen;
684#endif
508 685
509 /* don't add extensions for SSLv3, unless doing secure renegotiation */ 686 /* don't add extensions for SSLv3, unless doing secure renegotiation */
510 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) 687 if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
@@ -603,6 +780,26 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
603 ret += sol; 780 ret += sol;
604 } 781 }
605#endif 782#endif
783
784 if(s->srtp_profile)
785 {
786 int el;
787
788 ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
789
790 if((limit - p - 4 - el) < 0) return NULL;
791
792 s2n(TLSEXT_TYPE_use_srtp,ret);
793 s2n(el,ret);
794
795 if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el))
796 {
797 SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
798 return NULL;
799 }
800 ret+=el;
801 }
802
606 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
607 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
608 { const unsigned char cryptopro_ext[36] = { 805 { const unsigned char cryptopro_ext[36] = {
@@ -618,6 +815,46 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
618 815
619 } 816 }
620 817
818#ifndef OPENSSL_NO_HEARTBEATS
819 /* Add Heartbeat extension if we've received one */
820 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
821 {
822 s2n(TLSEXT_TYPE_heartbeat,ret);
823 s2n(1,ret);
824 /* Set mode:
825 * 1: peer may send requests
826 * 2: peer not allowed to send requests
827 */
828 if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
829 *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
830 else
831 *(ret++) = SSL_TLSEXT_HB_ENABLED;
832
833 }
834#endif
835
836#ifndef OPENSSL_NO_NEXTPROTONEG
837 next_proto_neg_seen = s->s3->next_proto_neg_seen;
838 s->s3->next_proto_neg_seen = 0;
839 if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb)
840 {
841 const unsigned char *npa;
842 unsigned int npalen;
843 int r;
844
845 r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg);
846 if (r == SSL_TLSEXT_ERR_OK)
847 {
848 if ((long)(limit - ret - 4 - npalen) < 0) return NULL;
849 s2n(TLSEXT_TYPE_next_proto_neg,ret);
850 s2n(npalen,ret);
851 memcpy(ret, npa, npalen);
852 ret += npalen;
853 s->s3->next_proto_neg_seen = 1;
854 }
855 }
856#endif
857
621 if ((extdatalen = ret-p-2)== 0) 858 if ((extdatalen = ret-p-2)== 0)
622 return p; 859 return p;
623 860
@@ -632,9 +869,18 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
632 unsigned short len; 869 unsigned short len;
633 unsigned char *data = *p; 870 unsigned char *data = *p;
634 int renegotiate_seen = 0; 871 int renegotiate_seen = 0;
872 int sigalg_seen = 0;
635 873
636 s->servername_done = 0; 874 s->servername_done = 0;
637 s->tlsext_status_type = -1; 875 s->tlsext_status_type = -1;
876#ifndef OPENSSL_NO_NEXTPROTONEG
877 s->s3->next_proto_neg_seen = 0;
878#endif
879
880#ifndef OPENSSL_NO_HEARTBEATS
881 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif
638 884
639 if (data >= (d+n-2)) 885 if (data >= (d+n-2))
640 goto ri_check; 886 goto ri_check;
@@ -762,6 +1008,31 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
762 } 1008 }
763 1009
764 } 1010 }
1011#ifndef OPENSSL_NO_SRP
1012 else if (type == TLSEXT_TYPE_srp)
1013 {
1014 if (size <= 0 || ((len = data[0])) != (size -1))
1015 {
1016 *al = SSL_AD_DECODE_ERROR;
1017 return 0;
1018 }
1019 if (s->srp_ctx.login != NULL)
1020 {
1021 *al = SSL_AD_DECODE_ERROR;
1022 return 0;
1023 }
1024 if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
1025 return -1;
1026 memcpy(s->srp_ctx.login, &data[1], len);
1027 s->srp_ctx.login[len]='\0';
1028
1029 if (strlen(s->srp_ctx.login) != len)
1030 {
1031 *al = SSL_AD_DECODE_ERROR;
1032 return 0;
1033 }
1034 }
1035#endif
765 1036
766#ifndef OPENSSL_NO_EC 1037#ifndef OPENSSL_NO_EC
767 else if (type == TLSEXT_TYPE_ec_point_formats && 1038 else if (type == TLSEXT_TYPE_ec_point_formats &&
@@ -882,6 +1153,28 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
882 return 0; 1153 return 0;
883 renegotiate_seen = 1; 1154 renegotiate_seen = 1;
884 } 1155 }
1156 else if (type == TLSEXT_TYPE_signature_algorithms)
1157 {
1158 int dsize;
1159 if (sigalg_seen || size < 2)
1160 {
1161 *al = SSL_AD_DECODE_ERROR;
1162 return 0;
1163 }
1164 sigalg_seen = 1;
1165 n2s(data,dsize);
1166 size -= 2;
1167 if (dsize != size || dsize & 1)
1168 {
1169 *al = SSL_AD_DECODE_ERROR;
1170 return 0;
1171 }
1172 if (!tls1_process_sigalgs(s, data, dsize))
1173 {
1174 *al = SSL_AD_DECODE_ERROR;
1175 return 0;
1176 }
1177 }
885 else if (type == TLSEXT_TYPE_status_request && 1178 else if (type == TLSEXT_TYPE_status_request &&
886 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
887 { 1180 {
@@ -994,8 +1287,54 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
994 else 1287 else
995 s->tlsext_status_type = -1; 1288 s->tlsext_status_type = -1;
996 } 1289 }
1290#ifndef OPENSSL_NO_HEARTBEATS
1291 else if (type == TLSEXT_TYPE_heartbeat)
1292 {
1293 switch(data[0])
1294 {
1295 case 0x01: /* Client allows us to send HB requests */
1296 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1297 break;
1298 case 0x02: /* Client doesn't accept HB requests */
1299 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1300 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1301 break;
1302 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1303 return 0;
1304 }
1305 }
1306#endif
1307#ifndef OPENSSL_NO_NEXTPROTONEG
1308 else if (type == TLSEXT_TYPE_next_proto_neg &&
1309 s->s3->tmp.finish_md_len == 0)
1310 {
1311 /* We shouldn't accept this extension on a
1312 * renegotiation.
1313 *
1314 * s->new_session will be set on renegotiation, but we
1315 * probably shouldn't rely that it couldn't be set on
1316 * the initial renegotation too in certain cases (when
1317 * there's some other reason to disallow resuming an
1318 * earlier session -- the current code won't be doing
1319 * anything like that, but this might change).
1320
1321 * A valid sign that there's been a previous handshake
1322 * in this connection is if s->s3->tmp.finish_md_len >
1323 * 0. (We are talking about a check that will happen
1324 * in the Hello protocol round, well before a new
1325 * Finished message could have been computed.) */
1326 s->s3->next_proto_neg_seen = 1;
1327 }
1328#endif
997 1329
998 /* session ticket processed earlier */ 1330 /* session ticket processed earlier */
1331 else if (type == TLSEXT_TYPE_use_srtp)
1332 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al))
1335 return 0;
1336 }
1337
999 data+=size; 1338 data+=size;
1000 } 1339 }
1001 1340
@@ -1005,7 +1344,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1005 1344
1006 /* Need RI if renegotiating */ 1345 /* Need RI if renegotiating */
1007 1346
1008 if (!renegotiate_seen && s->new_session && 1347 if (!renegotiate_seen && s->renegotiate &&
1009 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) 1348 !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
1010 { 1349 {
1011 *al = SSL_AD_HANDSHAKE_FAILURE; 1350 *al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1017,6 +1356,26 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1017 return 1; 1356 return 1;
1018 } 1357 }
1019 1358
1359#ifndef OPENSSL_NO_NEXTPROTONEG
1360/* ssl_next_proto_validate validates a Next Protocol Negotiation block. No
1361 * elements of zero length are allowed and the set of elements must exactly fill
1362 * the length of the block. */
1363static char ssl_next_proto_validate(unsigned char *d, unsigned len)
1364 {
1365 unsigned int off = 0;
1366
1367 while (off < len)
1368 {
1369 if (d[off] == 0)
1370 return 0;
1371 off += d[off];
1372 off++;
1373 }
1374
1375 return off == len;
1376 }
1377#endif
1378
1020int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 1379int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
1021 { 1380 {
1022 unsigned short length; 1381 unsigned short length;
@@ -1026,6 +1385,15 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1026 int tlsext_servername = 0; 1385 int tlsext_servername = 0;
1027 int renegotiate_seen = 0; 1386 int renegotiate_seen = 0;
1028 1387
1388#ifndef OPENSSL_NO_NEXTPROTONEG
1389 s->s3->next_proto_neg_seen = 0;
1390#endif
1391
1392#ifndef OPENSSL_NO_HEARTBEATS
1393 s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
1394 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
1395#endif
1396
1029 if (data >= (d+n-2)) 1397 if (data >= (d+n-2))
1030 goto ri_check; 1398 goto ri_check;
1031 1399
@@ -1151,12 +1519,71 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1151 /* Set flag to expect CertificateStatus message */ 1519 /* Set flag to expect CertificateStatus message */
1152 s->tlsext_status_expected = 1; 1520 s->tlsext_status_expected = 1;
1153 } 1521 }
1522#ifndef OPENSSL_NO_NEXTPROTONEG
1523 else if (type == TLSEXT_TYPE_next_proto_neg &&
1524 s->s3->tmp.finish_md_len == 0)
1525 {
1526 unsigned char *selected;
1527 unsigned char selected_len;
1528
1529 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL))
1531 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0;
1534 }
1535 /* The data must be valid */
1536 if (!ssl_next_proto_validate(data, size))
1537 {
1538 *al = TLS1_AD_DECODE_ERROR;
1539 return 0;
1540 }
1541 if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK)
1542 {
1543 *al = TLS1_AD_INTERNAL_ERROR;
1544 return 0;
1545 }
1546 s->next_proto_negotiated = OPENSSL_malloc(selected_len);
1547 if (!s->next_proto_negotiated)
1548 {
1549 *al = TLS1_AD_INTERNAL_ERROR;
1550 return 0;
1551 }
1552 memcpy(s->next_proto_negotiated, selected, selected_len);
1553 s->next_proto_negotiated_len = selected_len;
1554 s->s3->next_proto_neg_seen = 1;
1555 }
1556#endif
1154 else if (type == TLSEXT_TYPE_renegotiate) 1557 else if (type == TLSEXT_TYPE_renegotiate)
1155 { 1558 {
1156 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1559 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
1157 return 0; 1560 return 0;
1158 renegotiate_seen = 1; 1561 renegotiate_seen = 1;
1159 } 1562 }
1563#ifndef OPENSSL_NO_HEARTBEATS
1564 else if (type == TLSEXT_TYPE_heartbeat)
1565 {
1566 switch(data[0])
1567 {
1568 case 0x01: /* Server allows us to send HB requests */
1569 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1570 break;
1571 case 0x02: /* Server doesn't accept HB requests */
1572 s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
1573 s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
1574 break;
1575 default: *al = SSL_AD_ILLEGAL_PARAMETER;
1576 return 0;
1577 }
1578 }
1579#endif
1580 else if (type == TLSEXT_TYPE_use_srtp)
1581 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al))
1584 return 0;
1585 }
1586
1160 data+=size; 1587 data+=size;
1161 } 1588 }
1162 1589
@@ -1236,7 +1663,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1236 break; 1663 break;
1237 } 1664 }
1238 } 1665 }
1239 using_ecc = using_ecc && (s->version == TLS1_VERSION); 1666 using_ecc = using_ecc && (s->version >= TLS1_VERSION);
1240 if (using_ecc) 1667 if (using_ecc)
1241 { 1668 {
1242 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); 1669 if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
@@ -1252,16 +1679,19 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
1252 1679
1253 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ 1680 /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */
1254 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); 1681 if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist);
1255 s->tlsext_ellipticcurvelist_length = sizeof(nid_list)/sizeof(nid_list[0]) * 2; 1682 s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2;
1256 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) 1683 if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL)
1257 { 1684 {
1258 s->tlsext_ellipticcurvelist_length = 0; 1685 s->tlsext_ellipticcurvelist_length = 0;
1259 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); 1686 SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
1260 return -1; 1687 return -1;
1261 } 1688 }
1262 for (i = 1, j = s->tlsext_ellipticcurvelist; (unsigned int)i <= 1689 for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i <
1263 sizeof(nid_list)/sizeof(nid_list[0]); i++) 1690 sizeof(pref_list)/sizeof(pref_list[0]); i++)
1264 s2n(i,j); 1691 {
1692 int id = tls1_ec_nid2curve_id(pref_list[i]);
1693 s2n(id,j);
1694 }
1265 } 1695 }
1266#endif /* OPENSSL_NO_EC */ 1696#endif /* OPENSSL_NO_EC */
1267 1697
@@ -1570,26 +2000,56 @@ int ssl_check_serverhello_tlsext(SSL *s)
1570 } 2000 }
1571 } 2001 }
1572 2002
1573/* Since the server cache lookup is done early on in the processing of client 2003/* Since the server cache lookup is done early on in the processing of the
1574 * hello and other operations depend on the result we need to handle any TLS 2004 * ClientHello, and other operations depend on the result, we need to handle
1575 * session ticket extension at the same time. 2005 * any TLS session ticket extension at the same time.
2006 *
2007 * session_id: points at the session ID in the ClientHello. This code will
2008 * read past the end of this in order to parse out the session ticket
2009 * extension, if any.
2010 * len: the length of the session ID.
2011 * limit: a pointer to the first byte after the ClientHello.
2012 * ret: (output) on return, if a ticket was decrypted, then this is set to
2013 * point to the resulting session.
2014 *
2015 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
2016 * ciphersuite, in which case we have no use for session tickets and one will
2017 * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
2018 *
2019 * Returns:
2020 * -1: fatal error, either from parsing or decrypting the ticket.
2021 * 0: no ticket was found (or was ignored, based on settings).
2022 * 1: a zero length extension was found, indicating that the client supports
2023 * session tickets but doesn't currently have one to offer.
2024 * 2: either s->tls_session_secret_cb was set, or a ticket was offered but
2025 * couldn't be decrypted because of a non-fatal error.
2026 * 3: a ticket was successfully decrypted and *ret was set.
2027 *
2028 * Side effects:
2029 * Sets s->tlsext_ticket_expected to 1 if the server will have to issue
2030 * a new session ticket to the client because the client indicated support
2031 * (and s->tls_session_secret_cb is NULL) but the client either doesn't have
2032 * a session ticket or we couldn't use the one it gave us, or if
2033 * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
2034 * Otherwise, s->tlsext_ticket_expected is set to 0.
1576 */ 2035 */
1577
1578int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, 2036int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1579 const unsigned char *limit, SSL_SESSION **ret) 2037 const unsigned char *limit, SSL_SESSION **ret)
1580 { 2038 {
1581 /* Point after session ID in client hello */ 2039 /* Point after session ID in client hello */
1582 const unsigned char *p = session_id + len; 2040 const unsigned char *p = session_id + len;
1583 unsigned short i; 2041 unsigned short i;
1584 2042
2043 *ret = NULL;
2044 s->tlsext_ticket_expected = 0;
2045
1585 /* If tickets disabled behave as if no ticket present 2046 /* If tickets disabled behave as if no ticket present
1586 * to permit stateful resumption. 2047 * to permit stateful resumption.
1587 */ 2048 */
1588 if (SSL_get_options(s) & SSL_OP_NO_TICKET) 2049 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1589 return 1; 2050 return 0;
1590
1591 if ((s->version <= SSL3_VERSION) || !limit) 2051 if ((s->version <= SSL3_VERSION) || !limit)
1592 return 1; 2052 return 0;
1593 if (p >= limit) 2053 if (p >= limit)
1594 return -1; 2054 return -1;
1595 /* Skip past DTLS cookie */ 2055 /* Skip past DTLS cookie */
@@ -1612,7 +2072,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1612 return -1; 2072 return -1;
1613 /* Now at start of extensions */ 2073 /* Now at start of extensions */
1614 if ((p + 2) >= limit) 2074 if ((p + 2) >= limit)
1615 return 1; 2075 return 0;
1616 n2s(p, i); 2076 n2s(p, i);
1617 while ((p + 4) <= limit) 2077 while ((p + 4) <= limit)
1618 { 2078 {
@@ -1620,39 +2080,61 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
1620 n2s(p, type); 2080 n2s(p, type);
1621 n2s(p, size); 2081 n2s(p, size);
1622 if (p + size > limit) 2082 if (p + size > limit)
1623 return 1; 2083 return 0;
1624 if (type == TLSEXT_TYPE_session_ticket) 2084 if (type == TLSEXT_TYPE_session_ticket)
1625 { 2085 {
1626 /* If tickets disabled indicate cache miss which will 2086 int r;
1627 * trigger a full handshake
1628 */
1629 if (SSL_get_options(s) & SSL_OP_NO_TICKET)
1630 return 1;
1631 /* If zero length note client will accept a ticket
1632 * and indicate cache miss to trigger full handshake
1633 */
1634 if (size == 0) 2087 if (size == 0)
1635 { 2088 {
2089 /* The client will accept a ticket but doesn't
2090 * currently have one. */
1636 s->tlsext_ticket_expected = 1; 2091 s->tlsext_ticket_expected = 1;
1637 return 0; /* Cache miss */ 2092 return 1;
1638 } 2093 }
1639 if (s->tls_session_secret_cb) 2094 if (s->tls_session_secret_cb)
1640 { 2095 {
1641 /* Indicate cache miss here and instead of 2096 /* Indicate that the ticket couldn't be
1642 * generating the session from ticket now, 2097 * decrypted rather than generating the session
1643 * trigger abbreviated handshake based on 2098 * from ticket now, trigger abbreviated
1644 * external mechanism to calculate the master 2099 * handshake based on external mechanism to
1645 * secret later. */ 2100 * calculate the master secret later. */
1646 return 0; 2101 return 2;
2102 }
2103 r = tls_decrypt_ticket(s, p, size, session_id, len, ret);
2104 switch (r)
2105 {
2106 case 2: /* ticket couldn't be decrypted */
2107 s->tlsext_ticket_expected = 1;
2108 return 2;
2109 case 3: /* ticket was decrypted */
2110 return r;
2111 case 4: /* ticket decrypted but need to renew */
2112 s->tlsext_ticket_expected = 1;
2113 return 3;
2114 default: /* fatal error */
2115 return -1;
1647 } 2116 }
1648 return tls_decrypt_ticket(s, p, size, session_id, len,
1649 ret);
1650 } 2117 }
1651 p += size; 2118 p += size;
1652 } 2119 }
1653 return 1; 2120 return 0;
1654 } 2121 }
1655 2122
2123/* tls_decrypt_ticket attempts to decrypt a session ticket.
2124 *
2125 * etick: points to the body of the session ticket extension.
2126 * eticklen: the length of the session tickets extenion.
2127 * sess_id: points at the session ID.
2128 * sesslen: the length of the session ID.
2129 * psess: (output) on return, if a ticket was decrypted, then this is set to
2130 * point to the resulting session.
2131 *
2132 * Returns:
2133 * -1: fatal error, either from parsing or decrypting the ticket.
2134 * 2: the ticket couldn't be decrypted.
2135 * 3: a ticket was successfully decrypted and *psess was set.
2136 * 4: same as 3, but the ticket needs to be renewed.
2137 */
1656static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, 2138static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1657 const unsigned char *sess_id, int sesslen, 2139 const unsigned char *sess_id, int sesslen,
1658 SSL_SESSION **psess) 2140 SSL_SESSION **psess)
@@ -1667,7 +2149,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1667 SSL_CTX *tctx = s->initial_ctx; 2149 SSL_CTX *tctx = s->initial_ctx;
1668 /* Need at least keyname + iv + some encrypted data */ 2150 /* Need at least keyname + iv + some encrypted data */
1669 if (eticklen < 48) 2151 if (eticklen < 48)
1670 goto tickerr; 2152 return 2;
1671 /* Initialize session ticket encryption and HMAC contexts */ 2153 /* Initialize session ticket encryption and HMAC contexts */
1672 HMAC_CTX_init(&hctx); 2154 HMAC_CTX_init(&hctx);
1673 EVP_CIPHER_CTX_init(&ctx); 2155 EVP_CIPHER_CTX_init(&ctx);
@@ -1679,7 +2161,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1679 if (rv < 0) 2161 if (rv < 0)
1680 return -1; 2162 return -1;
1681 if (rv == 0) 2163 if (rv == 0)
1682 goto tickerr; 2164 return 2;
1683 if (rv == 2) 2165 if (rv == 2)
1684 renew_ticket = 1; 2166 renew_ticket = 1;
1685 } 2167 }
@@ -1687,15 +2169,15 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1687 { 2169 {
1688 /* Check key name matches */ 2170 /* Check key name matches */
1689 if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) 2171 if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
1690 goto tickerr; 2172 return 2;
1691 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 2173 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1692 tlsext_tick_md(), NULL); 2174 tlsext_tick_md(), NULL);
1693 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 2175 EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1694 tctx->tlsext_tick_aes_key, etick + 16); 2176 tctx->tlsext_tick_aes_key, etick + 16);
1695 } 2177 }
1696 /* Attempt to process session ticket, first conduct sanity and 2178 /* Attempt to process session ticket, first conduct sanity and
1697 * integrity checks on ticket. 2179 * integrity checks on ticket.
1698 */ 2180 */
1699 mlen = HMAC_size(&hctx); 2181 mlen = HMAC_size(&hctx);
1700 if (mlen < 0) 2182 if (mlen < 0)
1701 { 2183 {
@@ -1708,7 +2190,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1708 HMAC_Final(&hctx, tick_hmac, NULL); 2190 HMAC_Final(&hctx, tick_hmac, NULL);
1709 HMAC_CTX_cleanup(&hctx); 2191 HMAC_CTX_cleanup(&hctx);
1710 if (memcmp(tick_hmac, etick + eticklen, mlen)) 2192 if (memcmp(tick_hmac, etick + eticklen, mlen))
1711 goto tickerr; 2193 return 2;
1712 /* Attempt to decrypt session data */ 2194 /* Attempt to decrypt session data */
1713 /* Move p after IV to start of encrypted ticket, update length */ 2195 /* Move p after IV to start of encrypted ticket, update length */
1714 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); 2196 p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
@@ -1721,33 +2203,376 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
1721 } 2203 }
1722 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); 2204 EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
1723 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) 2205 if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0)
1724 goto tickerr; 2206 return 2;
1725 slen += mlen; 2207 slen += mlen;
1726 EVP_CIPHER_CTX_cleanup(&ctx); 2208 EVP_CIPHER_CTX_cleanup(&ctx);
1727 p = sdec; 2209 p = sdec;
1728 2210
1729 sess = d2i_SSL_SESSION(NULL, &p, slen); 2211 sess = d2i_SSL_SESSION(NULL, &p, slen);
1730 OPENSSL_free(sdec); 2212 OPENSSL_free(sdec);
1731 if (sess) 2213 if (sess)
1732 { 2214 {
1733 /* The session ID if non-empty is used by some clients to 2215 /* The session ID, if non-empty, is used by some clients to
1734 * detect that the ticket has been accepted. So we copy it to 2216 * detect that the ticket has been accepted. So we copy it to
1735 * the session structure. If it is empty set length to zero 2217 * the session structure. If it is empty set length to zero
1736 * as required by standard. 2218 * as required by standard.
1737 */ 2219 */
1738 if (sesslen) 2220 if (sesslen)
1739 memcpy(sess->session_id, sess_id, sesslen); 2221 memcpy(sess->session_id, sess_id, sesslen);
1740 sess->session_id_length = sesslen; 2222 sess->session_id_length = sesslen;
1741 *psess = sess; 2223 *psess = sess;
1742 s->tlsext_ticket_expected = renew_ticket; 2224 if (renew_ticket)
2225 return 4;
2226 else
2227 return 3;
2228 }
2229 ERR_clear_error();
2230 /* For session parse failure, indicate that we need to send a new
2231 * ticket. */
2232 return 2;
2233 }
2234
2235/* Tables to translate from NIDs to TLS v1.2 ids */
2236
2237typedef struct
2238 {
2239 int nid;
2240 int id;
2241 } tls12_lookup;
2242
2243static tls12_lookup tls12_md[] = {
2244#ifndef OPENSSL_NO_MD5
2245 {NID_md5, TLSEXT_hash_md5},
2246#endif
2247#ifndef OPENSSL_NO_SHA
2248 {NID_sha1, TLSEXT_hash_sha1},
2249#endif
2250#ifndef OPENSSL_NO_SHA256
2251 {NID_sha224, TLSEXT_hash_sha224},
2252 {NID_sha256, TLSEXT_hash_sha256},
2253#endif
2254#ifndef OPENSSL_NO_SHA512
2255 {NID_sha384, TLSEXT_hash_sha384},
2256 {NID_sha512, TLSEXT_hash_sha512}
2257#endif
2258};
2259
2260static tls12_lookup tls12_sig[] = {
2261#ifndef OPENSSL_NO_RSA
2262 {EVP_PKEY_RSA, TLSEXT_signature_rsa},
2263#endif
2264#ifndef OPENSSL_NO_DSA
2265 {EVP_PKEY_DSA, TLSEXT_signature_dsa},
2266#endif
2267#ifndef OPENSSL_NO_ECDSA
2268 {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
2269#endif
2270};
2271
2272static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
2273 {
2274 size_t i;
2275 for (i = 0; i < tlen; i++)
2276 {
2277 if (table[i].nid == nid)
2278 return table[i].id;
2279 }
2280 return -1;
2281 }
2282#if 0
2283static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
2284 {
2285 size_t i;
2286 for (i = 0; i < tlen; i++)
2287 {
2288 if (table[i].id == id)
2289 return table[i].nid;
2290 }
2291 return -1;
2292 }
2293#endif
2294
2295int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
2296 {
2297 int sig_id, md_id;
2298 if (!md)
2299 return 0;
2300 md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
2301 sizeof(tls12_md)/sizeof(tls12_lookup));
2302 if (md_id == -1)
2303 return 0;
2304 sig_id = tls12_get_sigid(pk);
2305 if (sig_id == -1)
2306 return 0;
2307 p[0] = (unsigned char)md_id;
2308 p[1] = (unsigned char)sig_id;
2309 return 1;
2310 }
2311
2312int tls12_get_sigid(const EVP_PKEY *pk)
2313 {
2314 return tls12_find_id(pk->type, tls12_sig,
2315 sizeof(tls12_sig)/sizeof(tls12_lookup));
2316 }
2317
2318const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 {
2320 switch(hash_alg)
2321 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1:
2332 return EVP_sha1();
2333#endif
2334#ifndef OPENSSL_NO_SHA256
2335 case TLSEXT_hash_sha224:
2336 return EVP_sha224();
2337
2338 case TLSEXT_hash_sha256:
2339 return EVP_sha256();
2340#endif
2341#ifndef OPENSSL_NO_SHA512
2342 case TLSEXT_hash_sha384:
2343 return EVP_sha384();
2344
2345 case TLSEXT_hash_sha512:
2346 return EVP_sha512();
2347#endif
2348 default:
2349 return NULL;
2350
2351 }
2352 }
2353
2354/* Set preferred digest for each key type */
2355
2356int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2357 {
2358 int i, idx;
2359 const EVP_MD *md;
2360 CERT *c = s->cert;
2361 /* Extension ignored for TLS versions below 1.2 */
2362 if (TLS1_get_version(s) < TLS1_2_VERSION)
1743 return 1; 2363 return 1;
2364 /* Should never happen */
2365 if (!c)
2366 return 0;
2367
2368 c->pkeys[SSL_PKEY_DSA_SIGN].digest = NULL;
2369 c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL;
2370 c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL;
2371 c->pkeys[SSL_PKEY_ECC].digest = NULL;
2372
2373 for (i = 0; i < dsize; i += 2)
2374 {
2375 unsigned char hash_alg = data[i], sig_alg = data[i+1];
2376
2377 switch(sig_alg)
2378 {
2379#ifndef OPENSSL_NO_RSA
2380 case TLSEXT_signature_rsa:
2381 idx = SSL_PKEY_RSA_SIGN;
2382 break;
2383#endif
2384#ifndef OPENSSL_NO_DSA
2385 case TLSEXT_signature_dsa:
2386 idx = SSL_PKEY_DSA_SIGN;
2387 break;
2388#endif
2389#ifndef OPENSSL_NO_ECDSA
2390 case TLSEXT_signature_ecdsa:
2391 idx = SSL_PKEY_ECC;
2392 break;
2393#endif
2394 default:
2395 continue;
2396 }
2397
2398 if (c->pkeys[idx].digest == NULL)
2399 {
2400 md = tls12_get_hash(hash_alg);
2401 if (md)
2402 {
2403 c->pkeys[idx].digest = md;
2404 if (idx == SSL_PKEY_RSA_SIGN)
2405 c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
2406 }
2407 }
2408
1744 } 2409 }
1745 /* If session decrypt failure indicate a cache miss and set state to 2410
1746 * send a new ticket 2411
1747 */ 2412 /* Set any remaining keys to default values. NOTE: if alg is not
1748 tickerr: 2413 * supported it stays as NULL.
1749 s->tlsext_ticket_expected = 1; 2414 */
2415#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
2418#endif
2419#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
2421 {
2422 c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
2423 c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
2424 }
2425#endif
2426#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
2429#endif
2430 return 1;
2431 }
2432
2433#endif
2434
2435#ifndef OPENSSL_NO_HEARTBEATS
2436int
2437tls1_process_heartbeat(SSL *s)
2438 {
2439 unsigned char *p = &s->s3->rrec.data[0], *pl;
2440 unsigned short hbtype;
2441 unsigned int payload;
2442 unsigned int padding = 16; /* Use minimum padding */
2443
2444 /* Read type and payload length first */
2445 hbtype = *p++;
2446 n2s(p, payload);
2447 pl = p;
2448
2449 if (s->msg_callback)
2450 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 &s->s3->rrec.data[0], s->s3->rrec.length,
2452 s, s->msg_callback_arg);
2453
2454 if (hbtype == TLS1_HB_REQUEST)
2455 {
2456 unsigned char *buffer, *bp;
2457 int r;
2458
2459 /* Allocate memory for the response, size is 1 bytes
2460 * message type, plus 2 bytes payload length, plus
2461 * payload, plus padding
2462 */
2463 buffer = OPENSSL_malloc(1 + 2 + payload + padding);
2464 bp = buffer;
2465
2466 /* Enter response type, length and copy payload */
2467 *bp++ = TLS1_HB_RESPONSE;
2468 s2n(payload, bp);
2469 memcpy(bp, pl, payload);
2470 bp += payload;
2471 /* Random padding */
2472 RAND_pseudo_bytes(bp, padding);
2473
2474 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
2475
2476 if (r >= 0 && s->msg_callback)
2477 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2478 buffer, 3 + payload + padding,
2479 s, s->msg_callback_arg);
2480
2481 OPENSSL_free(buffer);
2482
2483 if (r < 0)
2484 return r;
2485 }
2486 else if (hbtype == TLS1_HB_RESPONSE)
2487 {
2488 unsigned int seq;
2489
2490 /* We only send sequence numbers (2 bytes unsigned int),
2491 * and 16 random bytes, so we just try to read the
2492 * sequence number */
2493 n2s(pl, seq);
2494
2495 if (payload == 18 && seq == s->tlsext_hb_seq)
2496 {
2497 s->tlsext_hb_seq++;
2498 s->tlsext_hb_pending = 0;
2499 }
2500 }
2501
1750 return 0; 2502 return 0;
1751 } 2503 }
1752 2504
2505int
2506tls1_heartbeat(SSL *s)
2507 {
2508 unsigned char *buf, *p;
2509 int ret;
2510 unsigned int payload = 18; /* Sequence number + random bytes */
2511 unsigned int padding = 16; /* Use minimum padding */
2512
2513 /* Only send if peer supports and accepts HB requests... */
2514 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
2515 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
2516 {
2517 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
2518 return -1;
2519 }
2520
2521 /* ...and there is none in flight yet... */
2522 if (s->tlsext_hb_pending)
2523 {
2524 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
2525 return -1;
2526 }
2527
2528 /* ...and no handshake in progress. */
2529 if (SSL_in_init(s) || s->in_handshake)
2530 {
2531 SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
2532 return -1;
2533 }
2534
2535 /* Check if padding is too long, payload and padding
2536 * must not exceed 2^14 - 3 = 16381 bytes in total.
2537 */
2538 OPENSSL_assert(payload + padding <= 16381);
2539
2540 /* Create HeartBeat message, we just use a sequence number
2541 * as payload to distuingish different messages and add
2542 * some random stuff.
2543 * - Message Type, 1 byte
2544 * - Payload Length, 2 bytes (unsigned int)
2545 * - Payload, the sequence number (2 bytes uint)
2546 * - Payload, random bytes (16 bytes uint)
2547 * - Padding
2548 */
2549 buf = OPENSSL_malloc(1 + 2 + payload + padding);
2550 p = buf;
2551 /* Message Type */
2552 *p++ = TLS1_HB_REQUEST;
2553 /* Payload length (18 bytes here) */
2554 s2n(payload, p);
2555 /* Sequence number */
2556 s2n(s->tlsext_hb_seq, p);
2557 /* 16 random bytes */
2558 RAND_pseudo_bytes(p, 16);
2559 p += 16;
2560 /* Random padding */
2561 RAND_pseudo_bytes(p, padding);
2562
2563 ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
2564 if (ret >= 0)
2565 {
2566 if (s->msg_callback)
2567 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
2568 buf, 3 + payload + padding,
2569 s, s->msg_callback_arg);
2570
2571 s->tlsext_hb_pending = 1;
2572 }
2573
2574 OPENSSL_free(buf);
2575
2576 return ret;
2577 }
1753#endif 2578#endif
diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c
index 6ce7c0bbf5..53c807de28 100644
--- a/src/lib/libssl/t1_meth.c
+++ b/src/lib/libssl/t1_meth.c
@@ -60,16 +60,28 @@
60#include <openssl/objects.h> 60#include <openssl/objects.h>
61#include "ssl_locl.h" 61#include "ssl_locl.h"
62 62
63static const SSL_METHOD *tls1_get_method(int ver);
64static const SSL_METHOD *tls1_get_method(int ver) 63static const SSL_METHOD *tls1_get_method(int ver)
65 { 64 {
65 if (ver == TLS1_2_VERSION)
66 return TLSv1_2_method();
67 if (ver == TLS1_1_VERSION)
68 return TLSv1_1_method();
66 if (ver == TLS1_VERSION) 69 if (ver == TLS1_VERSION)
67 return(TLSv1_method()); 70 return TLSv1_method();
68 else 71 return NULL;
69 return(NULL);
70 } 72 }
71 73
72IMPLEMENT_tls1_meth_func(TLSv1_method, 74IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method,
75 ssl3_accept,
76 ssl3_connect,
77 tls1_get_method)
78
79IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method,
80 ssl3_accept,
81 ssl3_connect,
82 tls1_get_method)
83
84IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method,
73 ssl3_accept, 85 ssl3_accept,
74 ssl3_connect, 86 ssl3_connect,
75 tls1_get_method) 87 tls1_get_method)
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index 42525e9e89..f1d1565769 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -67,13 +67,26 @@
67static const SSL_METHOD *tls1_get_server_method(int ver); 67static const SSL_METHOD *tls1_get_server_method(int ver);
68static const SSL_METHOD *tls1_get_server_method(int ver) 68static const SSL_METHOD *tls1_get_server_method(int ver)
69 { 69 {
70 if (ver == TLS1_2_VERSION)
71 return TLSv1_2_server_method();
72 if (ver == TLS1_1_VERSION)
73 return TLSv1_1_server_method();
70 if (ver == TLS1_VERSION) 74 if (ver == TLS1_VERSION)
71 return(TLSv1_server_method()); 75 return TLSv1_server_method();
72 else 76 return NULL;
73 return(NULL);
74 } 77 }
75 78
76IMPLEMENT_tls1_meth_func(TLSv1_server_method, 79IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method,
80 ssl3_accept,
81 ssl_undefined_function,
82 tls1_get_server_method)
83
84IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method,
85 ssl3_accept,
86 ssl_undefined_function,
87 tls1_get_server_method)
88
89IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method,
77 ssl3_accept, 90 ssl3_accept,
78 ssl_undefined_function, 91 ssl_undefined_function,
79 tls1_get_server_method) 92 tls1_get_server_method)
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
index 20f8f05e3d..109bc8c10b 100644
--- a/src/lib/libssl/test/CAss.cnf
+++ b/src/lib/libssl/test/CAss.cnf
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 512 10default_bits = 2048
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
index 876a0d35f8..326cce2ba8 100644
--- a/src/lib/libssl/test/P1ss.cnf
+++ b/src/lib/libssl/test/P1ss.cnf
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 512 10default_bits = 1024
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
index 373a87e7c2..8b502321b8 100644
--- a/src/lib/libssl/test/P2ss.cnf
+++ b/src/lib/libssl/test/P2ss.cnf
@@ -7,7 +7,7 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 512 10default_bits = 1024
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
index 0c0ebb5f67..58ac0ca54d 100644
--- a/src/lib/libssl/test/Uss.cnf
+++ b/src/lib/libssl/test/Uss.cnf
@@ -7,11 +7,11 @@ RANDFILE = ./.rnd
7 7
8#################################################################### 8####################################################################
9[ req ] 9[ req ]
10default_bits = 512 10default_bits = 2048
11default_keyfile = keySS.pem 11default_keyfile = keySS.pem
12distinguished_name = req_distinguished_name 12distinguished_name = req_distinguished_name
13encrypt_rsa_key = no 13encrypt_rsa_key = no
14default_md = md2 14default_md = sha256
15 15
16[ req_distinguished_name ] 16[ req_distinguished_name ]
17countryName = Country Name (2 letter code) 17countryName = Country Name (2 letter code)
diff --git a/src/lib/libssl/test/pkits-test.pl b/src/lib/libssl/test/pkits-test.pl
index 69dffa16f9..5c6b89fcdb 100644
--- a/src/lib/libssl/test/pkits-test.pl
+++ b/src/lib/libssl/test/pkits-test.pl
@@ -784,6 +784,15 @@ my $ossl = "ossl/apps/openssl";
784 784
785my $ossl_cmd = "$ossl_path cms -verify -verify_retcode "; 785my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
786$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict "; 786$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
787
788# Check for expiry of trust anchor
789system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
790if ($? == 256)
791 {
792 print STDERR "WARNING: using older expired data\n";
793 $ossl_cmd .= "-attime 1291940972 ";
794 }
795
787$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 "; 796$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
788 797
789system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem"; 798system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
diff --git a/src/lib/libssl/test/test.cnf b/src/lib/libssl/test/test.cnf
index faad3914a8..10834442a1 100644
--- a/src/lib/libssl/test/test.cnf
+++ b/src/lib/libssl/test/test.cnf
@@ -56,7 +56,7 @@ emailAddress = optional
56 56
57#################################################################### 57####################################################################
58[ req ] 58[ req ]
59default_bits = 512 59default_bits = 1024
60default_keyfile = testkey.pem 60default_keyfile = testkey.pem
61distinguished_name = req_distinguished_name 61distinguished_name = req_distinguished_name
62encrypt_rsa_key = no 62encrypt_rsa_key = no
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index b55364ae88..5ae4dc8720 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -148,4 +148,14 @@ $ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
148echo test tls1 with PSK via BIO pair 148echo test tls1 with PSK via BIO pair
149$ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1 149$ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
150 150
151if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
152 echo skipping SRP tests
153else
154 echo test tls1 with SRP
155 $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123
156
157 echo test tls1 with SRP via BIO pair
158 $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
159fi
160
151exit 0 161exit 0
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index b3cc8f098b..c39c267f0b 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -159,10 +159,24 @@ extern "C" {
159 159
160#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 160#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
161 161
162#define TLS1_2_VERSION 0x0303
163#define TLS1_2_VERSION_MAJOR 0x03
164#define TLS1_2_VERSION_MINOR 0x03
165
166#define TLS1_1_VERSION 0x0302
167#define TLS1_1_VERSION_MAJOR 0x03
168#define TLS1_1_VERSION_MINOR 0x02
169
162#define TLS1_VERSION 0x0301 170#define TLS1_VERSION 0x0301
163#define TLS1_VERSION_MAJOR 0x03 171#define TLS1_VERSION_MAJOR 0x03
164#define TLS1_VERSION_MINOR 0x01 172#define TLS1_VERSION_MINOR 0x01
165 173
174#define TLS1_get_version(s) \
175 ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
176
177#define TLS1_get_client_version(s) \
178 ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
179
166#define TLS1_AD_DECRYPTION_FAILED 21 180#define TLS1_AD_DECRYPTION_FAILED 21
167#define TLS1_AD_RECORD_OVERFLOW 22 181#define TLS1_AD_RECORD_OVERFLOW 22
168#define TLS1_AD_UNKNOWN_CA 48 /* fatal */ 182#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
@@ -183,17 +197,42 @@ extern "C" {
183#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114 197#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
184#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */ 198#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */
185 199
186/* ExtensionType values from RFC3546 / RFC4366 */ 200/* ExtensionType values from RFC3546 / RFC4366 / RFC6066 */
187#define TLSEXT_TYPE_server_name 0 201#define TLSEXT_TYPE_server_name 0
188#define TLSEXT_TYPE_max_fragment_length 1 202#define TLSEXT_TYPE_max_fragment_length 1
189#define TLSEXT_TYPE_client_certificate_url 2 203#define TLSEXT_TYPE_client_certificate_url 2
190#define TLSEXT_TYPE_trusted_ca_keys 3 204#define TLSEXT_TYPE_trusted_ca_keys 3
191#define TLSEXT_TYPE_truncated_hmac 4 205#define TLSEXT_TYPE_truncated_hmac 4
192#define TLSEXT_TYPE_status_request 5 206#define TLSEXT_TYPE_status_request 5
207/* ExtensionType values from RFC4681 */
208#define TLSEXT_TYPE_user_mapping 6
209
210/* ExtensionType values from RFC5878 */
211#define TLSEXT_TYPE_client_authz 7
212#define TLSEXT_TYPE_server_authz 8
213
214/* ExtensionType values from RFC6091 */
215#define TLSEXT_TYPE_cert_type 9
216
193/* ExtensionType values from RFC4492 */ 217/* ExtensionType values from RFC4492 */
194#define TLSEXT_TYPE_elliptic_curves 10 218#define TLSEXT_TYPE_elliptic_curves 10
195#define TLSEXT_TYPE_ec_point_formats 11 219#define TLSEXT_TYPE_ec_point_formats 11
220
221/* ExtensionType value from RFC5054 */
222#define TLSEXT_TYPE_srp 12
223
224/* ExtensionType values from RFC5246 */
225#define TLSEXT_TYPE_signature_algorithms 13
226
227/* ExtensionType value from RFC5764 */
228#define TLSEXT_TYPE_use_srtp 14
229
230/* ExtensionType value from RFC5620 */
231#define TLSEXT_TYPE_heartbeat 15
232
233/* ExtensionType value from RFC4507 */
196#define TLSEXT_TYPE_session_ticket 35 234#define TLSEXT_TYPE_session_ticket 35
235
197/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */ 236/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
198#if 0 /* will have to be provided externally for now , 237#if 0 /* will have to be provided externally for now ,
199 * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 238 * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
@@ -204,6 +243,11 @@ extern "C" {
204/* Temporary extension type */ 243/* Temporary extension type */
205#define TLSEXT_TYPE_renegotiate 0xff01 244#define TLSEXT_TYPE_renegotiate 0xff01
206 245
246#ifndef OPENSSL_NO_NEXTPROTONEG
247/* This is not an IANA defined extension number */
248#define TLSEXT_TYPE_next_proto_neg 13172
249#endif
250
207/* NameType value from RFC 3546 */ 251/* NameType value from RFC 3546 */
208#define TLSEXT_NAMETYPE_host_name 0 252#define TLSEXT_NAMETYPE_host_name 0
209/* status request value from RFC 3546 */ 253/* status request value from RFC 3546 */
@@ -216,12 +260,37 @@ extern "C" {
216#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2 260#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2
217#define TLSEXT_ECPOINTFORMAT_last 2 261#define TLSEXT_ECPOINTFORMAT_last 2
218 262
263/* Signature and hash algorithms from RFC 5246 */
264
265#define TLSEXT_signature_anonymous 0
266#define TLSEXT_signature_rsa 1
267#define TLSEXT_signature_dsa 2
268#define TLSEXT_signature_ecdsa 3
269
270#define TLSEXT_hash_none 0
271#define TLSEXT_hash_md5 1
272#define TLSEXT_hash_sha1 2
273#define TLSEXT_hash_sha224 3
274#define TLSEXT_hash_sha256 4
275#define TLSEXT_hash_sha384 5
276#define TLSEXT_hash_sha512 6
277
219#ifndef OPENSSL_NO_TLSEXT 278#ifndef OPENSSL_NO_TLSEXT
220 279
221#define TLSEXT_MAXLEN_host_name 255 280#define TLSEXT_MAXLEN_host_name 255
222 281
223const char *SSL_get_servername(const SSL *s, const int type) ; 282const char *SSL_get_servername(const SSL *s, const int type);
224int SSL_get_servername_type(const SSL *s) ; 283int SSL_get_servername_type(const SSL *s);
284/* SSL_export_keying_material exports a value derived from the master secret,
285 * as specified in RFC 5705. It writes |olen| bytes to |out| given a label and
286 * optional context. (Since a zero length context is allowed, the |use_context|
287 * flag controls whether a context is included.)
288 *
289 * It returns 1 on success and zero otherwise.
290 */
291int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
292 const char *label, size_t llen, const unsigned char *p, size_t plen,
293 int use_context);
225 294
226#define SSL_set_tlsext_host_name(s,name) \ 295#define SSL_set_tlsext_host_name(s,name) \
227SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name) 296SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
@@ -285,6 +354,16 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG, 0, arg)
285#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \ 354#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
286SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) 355SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
287 356
357#ifndef OPENSSL_NO_HEARTBEATS
358#define SSL_TLSEXT_HB_ENABLED 0x01
359#define SSL_TLSEXT_HB_DONT_SEND_REQUESTS 0x02
360#define SSL_TLSEXT_HB_DONT_RECV_REQUESTS 0x04
361
362#define SSL_get_tlsext_heartbeat_pending(ssl) \
363 SSL_ctrl((ssl),SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING,0,NULL)
364#define SSL_set_tlsext_heartbeat_no_requests(ssl, arg) \
365 SSL_ctrl((ssl),SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS,arg,NULL)
366#endif
288#endif 367#endif
289 368
290/* PSK ciphersuites from 4279 */ 369/* PSK ciphersuites from 4279 */
@@ -322,6 +401,14 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
322#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039 401#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039
323#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A 402#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A
324 403
404/* TLS v1.2 ciphersuites */
405#define TLS1_CK_RSA_WITH_NULL_SHA256 0x0300003B
406#define TLS1_CK_RSA_WITH_AES_128_SHA256 0x0300003C
407#define TLS1_CK_RSA_WITH_AES_256_SHA256 0x0300003D
408#define TLS1_CK_DH_DSS_WITH_AES_128_SHA256 0x0300003E
409#define TLS1_CK_DH_RSA_WITH_AES_128_SHA256 0x0300003F
410#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA256 0x03000040
411
325/* Camellia ciphersuites from RFC4132 */ 412/* Camellia ciphersuites from RFC4132 */
326#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041 413#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041
327#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042 414#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042
@@ -330,6 +417,16 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
330#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000045 417#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000045
331#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA 0x03000046 418#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA 0x03000046
332 419
420/* TLS v1.2 ciphersuites */
421#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA256 0x03000067
422#define TLS1_CK_DH_DSS_WITH_AES_256_SHA256 0x03000068
423#define TLS1_CK_DH_RSA_WITH_AES_256_SHA256 0x03000069
424#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA256 0x0300006A
425#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA256 0x0300006B
426#define TLS1_CK_ADH_WITH_AES_128_SHA256 0x0300006C
427#define TLS1_CK_ADH_WITH_AES_256_SHA256 0x0300006D
428
429/* Camellia ciphersuites from RFC4132 */
333#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084 430#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084
334#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085 431#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085
335#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086 432#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086
@@ -345,6 +442,20 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
345#define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A 442#define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A
346#define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B 443#define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B
347 444
445/* TLS v1.2 GCM ciphersuites from RFC5288 */
446#define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 0x0300009C
447#define TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 0x0300009D
448#define TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 0x0300009E
449#define TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384 0x0300009F
450#define TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256 0x030000A0
451#define TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384 0x030000A1
452#define TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256 0x030000A2
453#define TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384 0x030000A3
454#define TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256 0x030000A4
455#define TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384 0x030000A5
456#define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256 0x030000A6
457#define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384 0x030000A7
458
348/* ECC ciphersuites from draft-ietf-tls-ecc-12.txt with changes soon to be in draft 13 */ 459/* ECC ciphersuites from draft-ietf-tls-ecc-12.txt with changes soon to be in draft 13 */
349#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001 460#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001
350#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002 461#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002
@@ -376,6 +487,38 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
376#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA 0x0300C018 487#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA 0x0300C018
377#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA 0x0300C019 488#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA 0x0300C019
378 489
490/* SRP ciphersuites from RFC 5054 */
491#define TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA 0x0300C01A
492#define TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA 0x0300C01B
493#define TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA 0x0300C01C
494#define TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA 0x0300C01D
495#define TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA 0x0300C01E
496#define TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA 0x0300C01F
497#define TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA 0x0300C020
498#define TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0x0300C021
499#define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0x0300C022
500
501/* ECDH HMAC based ciphersuites from RFC5289 */
502
503#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 0x0300C023
504#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 0x0300C024
505#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256 0x0300C025
506#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384 0x0300C026
507#define TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256 0x0300C027
508#define TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 0x0300C028
509#define TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256 0x0300C029
510#define TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384 0x0300C02A
511
512/* ECDH GCM based ciphersuites from RFC5289 */
513#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02B
514#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02C
515#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02D
516#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02E
517#define TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0x0300C02F
518#define TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0x0300C030
519#define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031
520#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
521
379/* XXX 522/* XXX
380 * Inconsistency alert: 523 * Inconsistency alert:
381 * The OpenSSL names of ciphers with ephemeral DH here include the string 524 * The OpenSSL names of ciphers with ephemeral DH here include the string
@@ -443,6 +586,17 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
443#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA "PSK-AES128-CBC-SHA" 586#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA "PSK-AES128-CBC-SHA"
444#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA "PSK-AES256-CBC-SHA" 587#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA "PSK-AES256-CBC-SHA"
445 588
589/* SRP ciphersuite from RFC 5054 */
590#define TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA "SRP-3DES-EDE-CBC-SHA"
591#define TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA "SRP-RSA-3DES-EDE-CBC-SHA"
592#define TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA "SRP-DSS-3DES-EDE-CBC-SHA"
593#define TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA "SRP-AES-128-CBC-SHA"
594#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA "SRP-RSA-AES-128-CBC-SHA"
595#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA "SRP-DSS-AES-128-CBC-SHA"
596#define TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA "SRP-AES-256-CBC-SHA"
597#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA "SRP-RSA-AES-256-CBC-SHA"
598#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA "SRP-DSS-AES-256-CBC-SHA"
599
446/* Camellia ciphersuites from RFC4132 */ 600/* Camellia ciphersuites from RFC4132 */
447#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA "CAMELLIA128-SHA" 601#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA "CAMELLIA128-SHA"
448#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA "DH-DSS-CAMELLIA128-SHA" 602#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA "DH-DSS-CAMELLIA128-SHA"
@@ -466,6 +620,55 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
466#define TLS1_TXT_DHE_RSA_WITH_SEED_SHA "DHE-RSA-SEED-SHA" 620#define TLS1_TXT_DHE_RSA_WITH_SEED_SHA "DHE-RSA-SEED-SHA"
467#define TLS1_TXT_ADH_WITH_SEED_SHA "ADH-SEED-SHA" 621#define TLS1_TXT_ADH_WITH_SEED_SHA "ADH-SEED-SHA"
468 622
623/* TLS v1.2 ciphersuites */
624#define TLS1_TXT_RSA_WITH_NULL_SHA256 "NULL-SHA256"
625#define TLS1_TXT_RSA_WITH_AES_128_SHA256 "AES128-SHA256"
626#define TLS1_TXT_RSA_WITH_AES_256_SHA256 "AES256-SHA256"
627#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA256 "DH-DSS-AES128-SHA256"
628#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA256 "DH-RSA-AES128-SHA256"
629#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256 "DHE-DSS-AES128-SHA256"
630#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 "DHE-RSA-AES128-SHA256"
631#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA256 "DH-DSS-AES256-SHA256"
632#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA256 "DH-RSA-AES256-SHA256"
633#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256 "DHE-DSS-AES256-SHA256"
634#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 "DHE-RSA-AES256-SHA256"
635#define TLS1_TXT_ADH_WITH_AES_128_SHA256 "ADH-AES128-SHA256"
636#define TLS1_TXT_ADH_WITH_AES_256_SHA256 "ADH-AES256-SHA256"
637
638/* TLS v1.2 GCM ciphersuites from RFC5288 */
639#define TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 "AES128-GCM-SHA256"
640#define TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 "AES256-GCM-SHA384"
641#define TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 "DHE-RSA-AES128-GCM-SHA256"
642#define TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 "DHE-RSA-AES256-GCM-SHA384"
643#define TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256 "DH-RSA-AES128-GCM-SHA256"
644#define TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384 "DH-RSA-AES256-GCM-SHA384"
645#define TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256 "DHE-DSS-AES128-GCM-SHA256"
646#define TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384 "DHE-DSS-AES256-GCM-SHA384"
647#define TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256 "DH-DSS-AES128-GCM-SHA256"
648#define TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384 "DH-DSS-AES256-GCM-SHA384"
649#define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256 "ADH-AES128-GCM-SHA256"
650#define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 "ADH-AES256-GCM-SHA384"
651
652/* ECDH HMAC based ciphersuites from RFC5289 */
653
654#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 "ECDHE-ECDSA-AES128-SHA256"
655#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 "ECDHE-ECDSA-AES256-SHA384"
656#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256 "ECDH-ECDSA-AES128-SHA256"
657#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384 "ECDH-ECDSA-AES256-SHA384"
658#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 "ECDHE-RSA-AES128-SHA256"
659#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 "ECDHE-RSA-AES256-SHA384"
660#define TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256 "ECDH-RSA-AES128-SHA256"
661#define TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384 "ECDH-RSA-AES256-SHA384"
662
663/* ECDH GCM based ciphersuites from RFC5289 */
664#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 "ECDHE-ECDSA-AES128-GCM-SHA256"
665#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 "ECDHE-ECDSA-AES256-GCM-SHA384"
666#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 "ECDH-ECDSA-AES128-GCM-SHA256"
667#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 "ECDH-ECDSA-AES256-GCM-SHA384"
668#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 "ECDHE-RSA-AES128-GCM-SHA256"
669#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 "ECDHE-RSA-AES256-GCM-SHA384"
670#define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 "ECDH-RSA-AES128-GCM-SHA256"
671#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 "ECDH-RSA-AES256-GCM-SHA384"
469 672
470#define TLS_CT_RSA_SIGN 1 673#define TLS_CT_RSA_SIGN 1
471#define TLS_CT_DSS_SIGN 2 674#define TLS_CT_DSS_SIGN 2
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-21 02:31:00 +0000