diff options
Diffstat (limited to 'src/lib/libssl')
28 files changed, 762 insertions, 395 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c index de8bab873f..2e8cf681ed 100644 --- a/src/lib/libssl/d1_both.c +++ b/src/lib/libssl/d1_both.c | |||
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) | |||
214 | static void | 214 | static void |
215 | dtls1_hm_fragment_free(hm_fragment *frag) | 215 | dtls1_hm_fragment_free(hm_fragment *frag) |
216 | { | 216 | { |
217 | |||
218 | if (frag->msg_header.is_ccs) | ||
219 | { | ||
220 | EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); | ||
221 | EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); | ||
222 | } | ||
217 | if (frag->fragment) OPENSSL_free(frag->fragment); | 223 | if (frag->fragment) OPENSSL_free(frag->fragment); |
218 | if (frag->reassembly) OPENSSL_free(frag->reassembly); | 224 | if (frag->reassembly) OPENSSL_free(frag->reassembly); |
219 | OPENSSL_free(frag); | 225 | OPENSSL_free(frag); |
@@ -313,9 +319,10 @@ int dtls1_do_write(SSL *s, int type) | |||
313 | s->init_off -= DTLS1_HM_HEADER_LENGTH; | 319 | s->init_off -= DTLS1_HM_HEADER_LENGTH; |
314 | s->init_num += DTLS1_HM_HEADER_LENGTH; | 320 | s->init_num += DTLS1_HM_HEADER_LENGTH; |
315 | 321 | ||
316 | /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ | 322 | if ( s->init_num > curr_mtu) |
317 | if ( len <= DTLS1_HM_HEADER_LENGTH) | 323 | len = curr_mtu; |
318 | len += DTLS1_HM_HEADER_LENGTH; | 324 | else |
325 | len = s->init_num; | ||
319 | } | 326 | } |
320 | 327 | ||
321 | dtls1_fix_message_header(s, frag_off, | 328 | dtls1_fix_message_header(s, frag_off, |
@@ -1452,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) | |||
1452 | unsigned int payload; | 1459 | unsigned int payload; |
1453 | unsigned int padding = 16; /* Use minimum padding */ | 1460 | unsigned int padding = 16; /* Use minimum padding */ |
1454 | 1461 | ||
1455 | /* Read type and payload length first */ | ||
1456 | hbtype = *p++; | ||
1457 | n2s(p, payload); | ||
1458 | pl = p; | ||
1459 | |||
1460 | if (s->msg_callback) | 1462 | if (s->msg_callback) |
1461 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | 1463 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, |
1462 | &s->s3->rrec.data[0], s->s3->rrec.length, | 1464 | &s->s3->rrec.data[0], s->s3->rrec.length, |
1463 | s, s->msg_callback_arg); | 1465 | s, s->msg_callback_arg); |
1464 | 1466 | ||
1467 | /* Read type and payload length first */ | ||
1468 | if (1 + 2 + 16 > s->s3->rrec.length) | ||
1469 | return 0; /* silently discard */ | ||
1470 | hbtype = *p++; | ||
1471 | n2s(p, payload); | ||
1472 | if (1 + 2 + payload + 16 > s->s3->rrec.length) | ||
1473 | return 0; /* silently discard per RFC 6520 sec. 4 */ | ||
1474 | pl = p; | ||
1475 | |||
1465 | if (hbtype == TLS1_HB_REQUEST) | 1476 | if (hbtype == TLS1_HB_REQUEST) |
1466 | { | 1477 | { |
1467 | unsigned char *buffer, *bp; | 1478 | unsigned char *buffer, *bp; |
1479 | unsigned int write_length = 1 /* heartbeat type */ + | ||
1480 | 2 /* heartbeat length */ + | ||
1481 | payload + padding; | ||
1468 | int r; | 1482 | int r; |
1469 | 1483 | ||
1484 | if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) | ||
1485 | return 0; | ||
1486 | |||
1470 | /* Allocate memory for the response, size is 1 byte | 1487 | /* Allocate memory for the response, size is 1 byte |
1471 | * message type, plus 2 bytes payload length, plus | 1488 | * message type, plus 2 bytes payload length, plus |
1472 | * payload, plus padding | 1489 | * payload, plus padding |
1473 | */ | 1490 | */ |
1474 | buffer = OPENSSL_malloc(1 + 2 + payload + padding); | 1491 | buffer = OPENSSL_malloc(write_length); |
1475 | bp = buffer; | 1492 | bp = buffer; |
1476 | 1493 | ||
1477 | /* Enter response type, length and copy payload */ | 1494 | /* Enter response type, length and copy payload */ |
@@ -1482,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) | |||
1482 | /* Random padding */ | 1499 | /* Random padding */ |
1483 | RAND_pseudo_bytes(bp, padding); | 1500 | RAND_pseudo_bytes(bp, padding); |
1484 | 1501 | ||
1485 | r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); | 1502 | r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); |
1486 | 1503 | ||
1487 | if (r >= 0 && s->msg_callback) | 1504 | if (r >= 0 && s->msg_callback) |
1488 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, | 1505 | s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, |
1489 | buffer, 3 + payload + padding, | 1506 | buffer, write_length, |
1490 | s, s->msg_callback_arg); | 1507 | s, s->msg_callback_arg); |
1491 | 1508 | ||
1492 | OPENSSL_free(buffer); | 1509 | OPENSSL_free(buffer); |
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index a6ed09c51d..48e5e06bde 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c | |||
@@ -538,13 +538,6 @@ int dtls1_connect(SSL *s) | |||
538 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); | 538 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); |
539 | if (ret <= 0) goto end; | 539 | if (ret <= 0) goto end; |
540 | 540 | ||
541 | #ifndef OPENSSL_NO_SCTP | ||
542 | /* Change to new shared key of SCTP-Auth, | ||
543 | * will be ignored if no SCTP used. | ||
544 | */ | ||
545 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | ||
546 | #endif | ||
547 | |||
548 | s->state=SSL3_ST_CW_FINISHED_A; | 541 | s->state=SSL3_ST_CW_FINISHED_A; |
549 | s->init_num=0; | 542 | s->init_num=0; |
550 | 543 | ||
@@ -571,6 +564,16 @@ int dtls1_connect(SSL *s) | |||
571 | goto end; | 564 | goto end; |
572 | } | 565 | } |
573 | 566 | ||
567 | #ifndef OPENSSL_NO_SCTP | ||
568 | if (s->hit) | ||
569 | { | ||
570 | /* Change to new shared key of SCTP-Auth, | ||
571 | * will be ignored if no SCTP used. | ||
572 | */ | ||
573 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | ||
574 | } | ||
575 | #endif | ||
576 | |||
574 | dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); | 577 | dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); |
575 | break; | 578 | break; |
576 | 579 | ||
@@ -613,6 +616,13 @@ int dtls1_connect(SSL *s) | |||
613 | } | 616 | } |
614 | else | 617 | else |
615 | { | 618 | { |
619 | #ifndef OPENSSL_NO_SCTP | ||
620 | /* Change to new shared key of SCTP-Auth, | ||
621 | * will be ignored if no SCTP used. | ||
622 | */ | ||
623 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | ||
624 | #endif | ||
625 | |||
616 | #ifndef OPENSSL_NO_TLSEXT | 626 | #ifndef OPENSSL_NO_TLSEXT |
617 | /* Allow NewSessionTicket if ticket expected */ | 627 | /* Allow NewSessionTicket if ticket expected */ |
618 | if (s->tlsext_ticket_expected) | 628 | if (s->tlsext_ticket_expected) |
@@ -773,7 +783,7 @@ int dtls1_client_hello(SSL *s) | |||
773 | unsigned char *buf; | 783 | unsigned char *buf; |
774 | unsigned char *p,*d; | 784 | unsigned char *p,*d; |
775 | unsigned int i,j; | 785 | unsigned int i,j; |
776 | unsigned long Time,l; | 786 | unsigned long l; |
777 | SSL_COMP *comp; | 787 | SSL_COMP *comp; |
778 | 788 | ||
779 | buf=(unsigned char *)s->init_buf->data; | 789 | buf=(unsigned char *)s->init_buf->data; |
@@ -798,13 +808,11 @@ int dtls1_client_hello(SSL *s) | |||
798 | 808 | ||
799 | /* if client_random is initialized, reuse it, we are | 809 | /* if client_random is initialized, reuse it, we are |
800 | * required to use same upon reply to HelloVerify */ | 810 | * required to use same upon reply to HelloVerify */ |
801 | for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; | 811 | for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) |
812 | ; | ||
802 | if (i==sizeof(s->s3->client_random)) | 813 | if (i==sizeof(s->s3->client_random)) |
803 | { | 814 | ssl_fill_hello_random(s, 0, p, |
804 | Time=(unsigned long)time(NULL); /* Time */ | 815 | sizeof(s->s3->client_random)); |
805 | l2n(Time,p); | ||
806 | RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4); | ||
807 | } | ||
808 | 816 | ||
809 | /* Do the message type and length last */ | 817 | /* Do the message type and length last */ |
810 | d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); | 818 | d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); |
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c index 07a5e97ce5..712c4647f2 100644 --- a/src/lib/libssl/d1_enc.c +++ b/src/lib/libssl/d1_enc.c | |||
@@ -126,20 +126,28 @@ | |||
126 | #include <openssl/des.h> | 126 | #include <openssl/des.h> |
127 | #endif | 127 | #endif |
128 | 128 | ||
129 | /* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | ||
130 | * | ||
131 | * Returns: | ||
132 | * 0: (in non-constant time) if the record is publically invalid (i.e. too | ||
133 | * short etc). | ||
134 | * 1: if the record's padding is valid / the encryption was successful. | ||
135 | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, | ||
136 | * an internal error occured. */ | ||
129 | int dtls1_enc(SSL *s, int send) | 137 | int dtls1_enc(SSL *s, int send) |
130 | { | 138 | { |
131 | SSL3_RECORD *rec; | 139 | SSL3_RECORD *rec; |
132 | EVP_CIPHER_CTX *ds; | 140 | EVP_CIPHER_CTX *ds; |
133 | unsigned long l; | 141 | unsigned long l; |
134 | int bs,i,ii,j,k,n=0; | 142 | int bs,i,j,k,mac_size=0; |
135 | const EVP_CIPHER *enc; | 143 | const EVP_CIPHER *enc; |
136 | 144 | ||
137 | if (send) | 145 | if (send) |
138 | { | 146 | { |
139 | if (EVP_MD_CTX_md(s->write_hash)) | 147 | if (EVP_MD_CTX_md(s->write_hash)) |
140 | { | 148 | { |
141 | n=EVP_MD_CTX_size(s->write_hash); | 149 | mac_size=EVP_MD_CTX_size(s->write_hash); |
142 | if (n < 0) | 150 | if (mac_size < 0) |
143 | return -1; | 151 | return -1; |
144 | } | 152 | } |
145 | ds=s->enc_write_ctx; | 153 | ds=s->enc_write_ctx; |
@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send) | |||
164 | { | 172 | { |
165 | if (EVP_MD_CTX_md(s->read_hash)) | 173 | if (EVP_MD_CTX_md(s->read_hash)) |
166 | { | 174 | { |
167 | n=EVP_MD_CTX_size(s->read_hash); | 175 | mac_size=EVP_MD_CTX_size(s->read_hash); |
168 | if (n < 0) | 176 | OPENSSL_assert(mac_size >= 0); |
169 | return -1; | ||
170 | } | 177 | } |
171 | ds=s->enc_read_ctx; | 178 | ds=s->enc_read_ctx; |
172 | rec= &(s->s3->rrec); | 179 | rec= &(s->s3->rrec); |
@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send) | |||
231 | if (!send) | 238 | if (!send) |
232 | { | 239 | { |
233 | if (l == 0 || l%bs != 0) | 240 | if (l == 0 || l%bs != 0) |
234 | return -1; | 241 | return 0; |
235 | } | 242 | } |
236 | 243 | ||
237 | EVP_Cipher(ds,rec->data,rec->input,l); | 244 | EVP_Cipher(ds,rec->data,rec->input,l); |
@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send) | |||
246 | #endif /* KSSL_DEBUG */ | 253 | #endif /* KSSL_DEBUG */ |
247 | 254 | ||
248 | if ((bs != 1) && !send) | 255 | if ((bs != 1) && !send) |
249 | { | 256 | return tls1_cbc_remove_padding(s, rec, bs, mac_size); |
250 | ii=i=rec->data[l-1]; /* padding_length */ | ||
251 | i++; | ||
252 | if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) | ||
253 | { | ||
254 | /* First packet is even in size, so check */ | ||
255 | if ((memcmp(s->s3->read_sequence, | ||
256 | "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) | ||
257 | s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; | ||
258 | if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) | ||
259 | i--; | ||
260 | } | ||
261 | /* TLS 1.0 does not bound the number of padding bytes by the block size. | ||
262 | * All of them must have value 'padding_length'. */ | ||
263 | if (i + bs > (int)rec->length) | ||
264 | { | ||
265 | /* Incorrect padding. SSLerr() and ssl3_alert are done | ||
266 | * by caller: we don't want to reveal whether this is | ||
267 | * a decryption error or a MAC verification failure | ||
268 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) | ||
269 | */ | ||
270 | return -1; | ||
271 | } | ||
272 | for (j=(int)(l-i); j<(int)l; j++) | ||
273 | { | ||
274 | if (rec->data[j] != ii) | ||
275 | { | ||
276 | /* Incorrect padding */ | ||
277 | return -1; | ||
278 | } | ||
279 | } | ||
280 | rec->length-=i; | ||
281 | |||
282 | rec->data += bs; /* skip the implicit IV */ | ||
283 | rec->input += bs; | ||
284 | rec->length -= bs; | ||
285 | } | ||
286 | } | 257 | } |
287 | return(1); | 258 | return(1); |
288 | } | 259 | } |
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c index f61f718183..106939f241 100644 --- a/src/lib/libssl/d1_lib.c +++ b/src/lib/libssl/d1_lib.c | |||
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s) | |||
196 | pqueue_free(s->d1->buffered_app_data.q); | 196 | pqueue_free(s->d1->buffered_app_data.q); |
197 | 197 | ||
198 | OPENSSL_free(s->d1); | 198 | OPENSSL_free(s->d1); |
199 | s->d1 = NULL; | ||
199 | } | 200 | } |
200 | 201 | ||
201 | void dtls1_clear(SSL *s) | 202 | void dtls1_clear(SSL *s) |
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 987af60835..8186462d4a 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
@@ -376,15 +376,11 @@ static int | |||
376 | dtls1_process_record(SSL *s) | 376 | dtls1_process_record(SSL *s) |
377 | { | 377 | { |
378 | int i,al; | 378 | int i,al; |
379 | int clear=0; | ||
380 | int enc_err; | 379 | int enc_err; |
381 | SSL_SESSION *sess; | 380 | SSL_SESSION *sess; |
382 | SSL3_RECORD *rr; | 381 | SSL3_RECORD *rr; |
383 | unsigned int mac_size; | 382 | unsigned int mac_size, orig_len; |
384 | unsigned char md[EVP_MAX_MD_SIZE]; | 383 | unsigned char md[EVP_MAX_MD_SIZE]; |
385 | int decryption_failed_or_bad_record_mac = 0; | ||
386 | unsigned char *mac = NULL; | ||
387 | |||
388 | 384 | ||
389 | rr= &(s->s3->rrec); | 385 | rr= &(s->s3->rrec); |
390 | sess = s->session; | 386 | sess = s->session; |
@@ -416,12 +412,16 @@ dtls1_process_record(SSL *s) | |||
416 | rr->data=rr->input; | 412 | rr->data=rr->input; |
417 | 413 | ||
418 | enc_err = s->method->ssl3_enc->enc(s,0); | 414 | enc_err = s->method->ssl3_enc->enc(s,0); |
419 | if (enc_err <= 0) | 415 | /* enc_err is: |
416 | * 0: (in non-constant time) if the record is publically invalid. | ||
417 | * 1: if the padding is valid | ||
418 | * -1: if the padding is invalid */ | ||
419 | if (enc_err == 0) | ||
420 | { | 420 | { |
421 | /* To minimize information leaked via timing, we will always | 421 | /* For DTLS we simply ignore bad packets. */ |
422 | * perform all computations before discarding the message. | 422 | rr->length = 0; |
423 | */ | 423 | s->packet_length = 0; |
424 | decryption_failed_or_bad_record_mac = 1; | 424 | goto err; |
425 | } | 425 | } |
426 | 426 | ||
427 | #ifdef TLS_DEBUG | 427 | #ifdef TLS_DEBUG |
@@ -431,45 +431,62 @@ printf("\n"); | |||
431 | #endif | 431 | #endif |
432 | 432 | ||
433 | /* r->length is now the compressed data plus mac */ | 433 | /* r->length is now the compressed data plus mac */ |
434 | if ( (sess == NULL) || | 434 | if ((sess != NULL) && |
435 | (s->enc_read_ctx == NULL) || | 435 | (s->enc_read_ctx != NULL) && |
436 | (s->read_hash == NULL)) | 436 | (EVP_MD_CTX_md(s->read_hash) != NULL)) |
437 | clear=1; | ||
438 | |||
439 | if (!clear) | ||
440 | { | 437 | { |
441 | /* !clear => s->read_hash != NULL => mac_size != -1 */ | 438 | /* s->read_hash != NULL => mac_size != -1 */ |
442 | int t; | 439 | unsigned char *mac = NULL; |
443 | t=EVP_MD_CTX_size(s->read_hash); | 440 | unsigned char mac_tmp[EVP_MAX_MD_SIZE]; |
444 | OPENSSL_assert(t >= 0); | 441 | mac_size=EVP_MD_CTX_size(s->read_hash); |
445 | mac_size=t; | 442 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
446 | 443 | ||
447 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | 444 | /* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
445 | orig_len = rr->length+((unsigned int)rr->type>>8); | ||
446 | |||
447 | /* orig_len is the length of the record before any padding was | ||
448 | * removed. This is public information, as is the MAC in use, | ||
449 | * therefore we can safely process the record in a different | ||
450 | * amount of time if it's too short to possibly contain a MAC. | ||
451 | */ | ||
452 | if (orig_len < mac_size || | ||
453 | /* CBC records must have a padding length byte too. */ | ||
454 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && | ||
455 | orig_len < mac_size+1)) | ||
448 | { | 456 | { |
449 | #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ | 457 | al=SSL_AD_DECODE_ERROR; |
450 | al=SSL_AD_RECORD_OVERFLOW; | 458 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
451 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); | ||
452 | goto f_err; | 459 | goto f_err; |
453 | #else | ||
454 | decryption_failed_or_bad_record_mac = 1; | ||
455 | #endif | ||
456 | } | 460 | } |
457 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | 461 | |
458 | if (rr->length >= mac_size) | 462 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) |
459 | { | 463 | { |
464 | /* We update the length so that the TLS header bytes | ||
465 | * can be constructed correctly but we need to extract | ||
466 | * the MAC in constant time from within the record, | ||
467 | * without leaking the contents of the padding bytes. | ||
468 | * */ | ||
469 | mac = mac_tmp; | ||
470 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); | ||
460 | rr->length -= mac_size; | 471 | rr->length -= mac_size; |
461 | mac = &rr->data[rr->length]; | ||
462 | } | 472 | } |
463 | else | 473 | else |
464 | rr->length = 0; | ||
465 | i=s->method->ssl3_enc->mac(s,md,0); | ||
466 | if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) | ||
467 | { | 474 | { |
468 | decryption_failed_or_bad_record_mac = 1; | 475 | /* In this case there's no padding, so |orig_len| |
476 | * equals |rec->length| and we checked that there's | ||
477 | * enough bytes for |mac_size| above. */ | ||
478 | rr->length -= mac_size; | ||
479 | mac = &rr->data[rr->length]; | ||
469 | } | 480 | } |
481 | |||
482 | i=s->method->ssl3_enc->mac(s,md,0 /* not send */); | ||
483 | if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) | ||
484 | enc_err = -1; | ||
485 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | ||
486 | enc_err = -1; | ||
470 | } | 487 | } |
471 | 488 | ||
472 | if (decryption_failed_or_bad_record_mac) | 489 | if (enc_err < 0) |
473 | { | 490 | { |
474 | /* decryption failed, silently discard message */ | 491 | /* decryption failed, silently discard message */ |
475 | rr->length = 0; | 492 | rr->length = 0; |
@@ -830,6 +847,12 @@ start: | |||
830 | } | 847 | } |
831 | } | 848 | } |
832 | 849 | ||
850 | if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) | ||
851 | { | ||
852 | rr->length = 0; | ||
853 | goto start; | ||
854 | } | ||
855 | |||
833 | /* we now have a packet which can be read and processed */ | 856 | /* we now have a packet which can be read and processed */ |
834 | 857 | ||
835 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | 858 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, |
@@ -1034,6 +1057,7 @@ start: | |||
1034 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | 1057 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && |
1035 | !s->s3->renegotiate) | 1058 | !s->s3->renegotiate) |
1036 | { | 1059 | { |
1060 | s->d1->handshake_read_seq++; | ||
1037 | s->new_session = 1; | 1061 | s->new_session = 1; |
1038 | ssl3_renegotiate(s); | 1062 | ssl3_renegotiate(s); |
1039 | if (ssl3_renegotiate_check(s)) | 1063 | if (ssl3_renegotiate_check(s)) |
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c index 928935bd8b..ab9c41922c 100644 --- a/src/lib/libssl/d1_srtp.c +++ b/src/lib/libssl/d1_srtp.c | |||
@@ -115,11 +115,12 @@ | |||
115 | Copyright (C) 2011, RTFM, Inc. | 115 | Copyright (C) 2011, RTFM, Inc. |
116 | */ | 116 | */ |
117 | 117 | ||
118 | #ifndef OPENSSL_NO_SRTP | ||
119 | |||
120 | #include <stdio.h> | 118 | #include <stdio.h> |
121 | #include <openssl/objects.h> | 119 | #include <openssl/objects.h> |
122 | #include "ssl_locl.h" | 120 | #include "ssl_locl.h" |
121 | |||
122 | #ifndef OPENSSL_NO_SRTP | ||
123 | |||
123 | #include "srtp.h" | 124 | #include "srtp.h" |
124 | 125 | ||
125 | 126 | ||
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 29421da9aa..9975e20873 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c | |||
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s) | |||
276 | case SSL3_ST_SW_HELLO_REQ_B: | 276 | case SSL3_ST_SW_HELLO_REQ_B: |
277 | 277 | ||
278 | s->shutdown=0; | 278 | s->shutdown=0; |
279 | dtls1_clear_record_buffer(s); | ||
279 | dtls1_start_timer(s); | 280 | dtls1_start_timer(s); |
280 | ret=dtls1_send_hello_request(s); | 281 | ret=dtls1_send_hello_request(s); |
281 | if (ret <= 0) goto end; | 282 | if (ret <= 0) goto end; |
282 | s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; | 283 | s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; |
283 | s->state=SSL3_ST_SW_FLUSH; | 284 | s->state=SSL3_ST_SW_FLUSH; |
284 | s->init_num=0; | 285 | s->init_num=0; |
285 | 286 | ||
@@ -721,10 +722,13 @@ int dtls1_accept(SSL *s) | |||
721 | if (ret <= 0) goto end; | 722 | if (ret <= 0) goto end; |
722 | 723 | ||
723 | #ifndef OPENSSL_NO_SCTP | 724 | #ifndef OPENSSL_NO_SCTP |
724 | /* Change to new shared key of SCTP-Auth, | 725 | if (!s->hit) |
725 | * will be ignored if no SCTP used. | 726 | { |
726 | */ | 727 | /* Change to new shared key of SCTP-Auth, |
727 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | 728 | * will be ignored if no SCTP used. |
729 | */ | ||
730 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | ||
731 | } | ||
728 | #endif | 732 | #endif |
729 | 733 | ||
730 | s->state=SSL3_ST_SW_FINISHED_A; | 734 | s->state=SSL3_ST_SW_FINISHED_A; |
@@ -749,7 +753,16 @@ int dtls1_accept(SSL *s) | |||
749 | if (ret <= 0) goto end; | 753 | if (ret <= 0) goto end; |
750 | s->state=SSL3_ST_SW_FLUSH; | 754 | s->state=SSL3_ST_SW_FLUSH; |
751 | if (s->hit) | 755 | if (s->hit) |
756 | { | ||
752 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; | 757 | s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
758 | |||
759 | #ifndef OPENSSL_NO_SCTP | ||
760 | /* Change to new shared key of SCTP-Auth, | ||
761 | * will be ignored if no SCTP used. | ||
762 | */ | ||
763 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); | ||
764 | #endif | ||
765 | } | ||
753 | else | 766 | else |
754 | { | 767 | { |
755 | s->s3->tmp.next_state=SSL_ST_OK; | 768 | s->s3->tmp.next_state=SSL_ST_OK; |
@@ -912,15 +925,13 @@ int dtls1_send_server_hello(SSL *s) | |||
912 | unsigned char *p,*d; | 925 | unsigned char *p,*d; |
913 | int i; | 926 | int i; |
914 | unsigned int sl; | 927 | unsigned int sl; |
915 | unsigned long l,Time; | 928 | unsigned long l; |
916 | 929 | ||
917 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) | 930 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) |
918 | { | 931 | { |
919 | buf=(unsigned char *)s->init_buf->data; | 932 | buf=(unsigned char *)s->init_buf->data; |
920 | p=s->s3->server_random; | 933 | p=s->s3->server_random; |
921 | Time=(unsigned long)time(NULL); /* Time */ | 934 | ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); |
922 | l2n(Time,p); | ||
923 | RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); | ||
924 | /* Do the message type and length last */ | 935 | /* Do the message type and length last */ |
925 | d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); | 936 | d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); |
926 | 937 | ||
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h index 5008bf6081..e65d501191 100644 --- a/src/lib/libssl/dtls1.h +++ b/src/lib/libssl/dtls1.h | |||
@@ -57,8 +57,8 @@ | |||
57 | * | 57 | * |
58 | */ | 58 | */ |
59 | 59 | ||
60 | #ifndef HEADER_DTLS1_H | 60 | #ifndef HEADER_DTLS1_H |
61 | #define HEADER_DTLS1_H | 61 | #define HEADER_DTLS1_H |
62 | 62 | ||
63 | #include <openssl/buffer.h> | 63 | #include <openssl/buffer.h> |
64 | #include <openssl/pqueue.h> | 64 | #include <openssl/pqueue.h> |
@@ -72,8 +72,12 @@ | |||
72 | #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) | 72 | #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) |
73 | #include <sys/timeval.h> | 73 | #include <sys/timeval.h> |
74 | #else | 74 | #else |
75 | #if defined(OPENSSL_SYS_VXWORKS) | ||
76 | #include <sys/times.h> | ||
77 | #else | ||
75 | #include <sys/time.h> | 78 | #include <sys/time.h> |
76 | #endif | 79 | #endif |
80 | #endif | ||
77 | 81 | ||
78 | #ifdef __cplusplus | 82 | #ifdef __cplusplus |
79 | extern "C" { | 83 | extern "C" { |
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index 47673e740a..2b93c639dd 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c | |||
@@ -269,12 +269,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s) | |||
269 | return 1; | 269 | return 1; |
270 | } | 270 | } |
271 | 271 | ||
272 | /* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 | ||
273 | * on failure, 1 on success. */ | ||
274 | int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) | ||
275 | { | ||
276 | int send_time = 0; | ||
277 | |||
278 | if (len < 4) | ||
279 | return 0; | ||
280 | if (server) | ||
281 | send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; | ||
282 | else | ||
283 | send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; | ||
284 | if (send_time) | ||
285 | { | ||
286 | unsigned long Time = (unsigned long)time(NULL); | ||
287 | unsigned char *p = result; | ||
288 | l2n(Time, p); | ||
289 | return RAND_pseudo_bytes(p, len-4); | ||
290 | } | ||
291 | else | ||
292 | return RAND_pseudo_bytes(result, len); | ||
293 | } | ||
294 | |||
272 | static int ssl23_client_hello(SSL *s) | 295 | static int ssl23_client_hello(SSL *s) |
273 | { | 296 | { |
274 | unsigned char *buf; | 297 | unsigned char *buf; |
275 | unsigned char *p,*d; | 298 | unsigned char *p,*d; |
276 | int i,ch_len; | 299 | int i,ch_len; |
277 | unsigned long Time,l; | 300 | unsigned long l; |
278 | int ssl2_compat; | 301 | int ssl2_compat; |
279 | int version = 0, version_major, version_minor; | 302 | int version = 0, version_major, version_minor; |
280 | #ifndef OPENSSL_NO_COMP | 303 | #ifndef OPENSSL_NO_COMP |
@@ -355,9 +378,7 @@ static int ssl23_client_hello(SSL *s) | |||
355 | #endif | 378 | #endif |
356 | 379 | ||
357 | p=s->s3->client_random; | 380 | p=s->s3->client_random; |
358 | Time=(unsigned long)time(NULL); /* Time */ | 381 | if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) |
359 | l2n(Time,p); | ||
360 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | ||
361 | return -1; | 382 | return -1; |
362 | 383 | ||
363 | if (version == TLS1_2_VERSION) | 384 | if (version == TLS1_2_VERSION) |
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c index b63460a56d..53b9390fdd 100644 --- a/src/lib/libssl/s3_both.c +++ b/src/lib/libssl/s3_both.c | |||
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) | |||
161 | 161 | ||
162 | i=s->method->ssl3_enc->final_finish_mac(s, | 162 | i=s->method->ssl3_enc->final_finish_mac(s, |
163 | sender,slen,s->s3->tmp.finish_md); | 163 | sender,slen,s->s3->tmp.finish_md); |
164 | if (i == 0) | ||
165 | return 0; | ||
164 | s->s3->tmp.finish_md_len = i; | 166 | s->s3->tmp.finish_md_len = i; |
165 | memcpy(p, s->s3->tmp.finish_md, i); | 167 | memcpy(p, s->s3->tmp.finish_md, i); |
166 | p+=i; | 168 | p+=i; |
@@ -204,10 +206,15 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) | |||
204 | 206 | ||
205 | #ifndef OPENSSL_NO_NEXTPROTONEG | 207 | #ifndef OPENSSL_NO_NEXTPROTONEG |
206 | /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ | 208 | /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ |
207 | static void ssl3_take_mac(SSL *s) { | 209 | static void ssl3_take_mac(SSL *s) |
210 | { | ||
208 | const char *sender; | 211 | const char *sender; |
209 | int slen; | 212 | int slen; |
210 | 213 | /* If no new cipher setup return immediately: other functions will | |
214 | * set the appropriate error. | ||
215 | */ | ||
216 | if (s->s3->tmp.new_cipher == NULL) | ||
217 | return; | ||
211 | if (s->state & SSL_ST_CONNECT) | 218 | if (s->state & SSL_ST_CONNECT) |
212 | { | 219 | { |
213 | sender=s->method->ssl3_enc->server_finished_label; | 220 | sender=s->method->ssl3_enc->server_finished_label; |
@@ -221,7 +228,7 @@ static void ssl3_take_mac(SSL *s) { | |||
221 | 228 | ||
222 | s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, | 229 | s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, |
223 | sender,slen,s->s3->tmp.peer_finish_md); | 230 | sender,slen,s->s3->tmp.peer_finish_md); |
224 | } | 231 | } |
225 | #endif | 232 | #endif |
226 | 233 | ||
227 | int ssl3_get_finished(SSL *s, int a, int b) | 234 | int ssl3_get_finished(SSL *s, int a, int b) |
@@ -231,8 +238,9 @@ int ssl3_get_finished(SSL *s, int a, int b) | |||
231 | unsigned char *p; | 238 | unsigned char *p; |
232 | 239 | ||
233 | #ifdef OPENSSL_NO_NEXTPROTONEG | 240 | #ifdef OPENSSL_NO_NEXTPROTONEG |
234 | /* the mac has already been generated when we received the change | 241 | /* the mac has already been generated when we received the |
235 | * cipher spec message and is in s->s3->tmp.peer_finish_md. */ | 242 | * change cipher spec message and is in s->s3->tmp.peer_finish_md. |
243 | */ | ||
236 | #endif | 244 | #endif |
237 | 245 | ||
238 | n=s->method->ssl_get_message(s, | 246 | n=s->method->ssl_get_message(s, |
@@ -263,7 +271,7 @@ int ssl3_get_finished(SSL *s, int a, int b) | |||
263 | goto f_err; | 271 | goto f_err; |
264 | } | 272 | } |
265 | 273 | ||
266 | if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) | 274 | if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) |
267 | { | 275 | { |
268 | al=SSL_AD_DECRYPT_ERROR; | 276 | al=SSL_AD_DECRYPT_ERROR; |
269 | SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); | 277 | SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); |
@@ -537,12 +545,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) | |||
537 | s->init_num += i; | 545 | s->init_num += i; |
538 | n -= i; | 546 | n -= i; |
539 | } | 547 | } |
548 | |||
540 | #ifndef OPENSSL_NO_NEXTPROTONEG | 549 | #ifndef OPENSSL_NO_NEXTPROTONEG |
541 | /* If receiving Finished, record MAC of prior handshake messages for | 550 | /* If receiving Finished, record MAC of prior handshake messages for |
542 | * Finished verification. */ | 551 | * Finished verification. */ |
543 | if (*s->init_buf->data == SSL3_MT_FINISHED) | 552 | if (*s->init_buf->data == SSL3_MT_FINISHED) |
544 | ssl3_take_mac(s); | 553 | ssl3_take_mac(s); |
545 | #endif | 554 | #endif |
555 | |||
546 | /* Feed this message into MAC computation. */ | 556 | /* Feed this message into MAC computation. */ |
547 | ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); | 557 | ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); |
548 | if (s->msg_callback) | 558 | if (s->msg_callback) |
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index b80d052e1f..a6b3c01afa 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
@@ -459,7 +459,6 @@ int ssl3_connect(SSL *s) | |||
459 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); | 459 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); |
460 | if (ret <= 0) goto end; | 460 | if (ret <= 0) goto end; |
461 | 461 | ||
462 | |||
463 | #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) | 462 | #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
464 | s->state=SSL3_ST_CW_FINISHED_A; | 463 | s->state=SSL3_ST_CW_FINISHED_A; |
465 | #else | 464 | #else |
@@ -656,7 +655,7 @@ int ssl3_client_hello(SSL *s) | |||
656 | unsigned char *buf; | 655 | unsigned char *buf; |
657 | unsigned char *p,*d; | 656 | unsigned char *p,*d; |
658 | int i; | 657 | int i; |
659 | unsigned long Time,l; | 658 | unsigned long l; |
660 | #ifndef OPENSSL_NO_COMP | 659 | #ifndef OPENSSL_NO_COMP |
661 | int j; | 660 | int j; |
662 | SSL_COMP *comp; | 661 | SSL_COMP *comp; |
@@ -681,9 +680,8 @@ int ssl3_client_hello(SSL *s) | |||
681 | /* else use the pre-loaded session */ | 680 | /* else use the pre-loaded session */ |
682 | 681 | ||
683 | p=s->s3->client_random; | 682 | p=s->s3->client_random; |
684 | Time=(unsigned long)time(NULL); /* Time */ | 683 | |
685 | l2n(Time,p); | 684 | if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) |
686 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | ||
687 | goto err; | 685 | goto err; |
688 | 686 | ||
689 | /* Do the message type and length last */ | 687 | /* Do the message type and length last */ |
@@ -987,7 +985,10 @@ int ssl3_get_server_hello(SSL *s) | |||
987 | * client authentication. | 985 | * client authentication. |
988 | */ | 986 | */ |
989 | if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) | 987 | if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) |
988 | { | ||
989 | al = SSL_AD_INTERNAL_ERROR; | ||
990 | goto f_err; | 990 | goto f_err; |
991 | } | ||
991 | /* lets get the compression algorithm */ | 992 | /* lets get the compression algorithm */ |
992 | /* COMPRESSION */ | 993 | /* COMPRESSION */ |
993 | #ifdef OPENSSL_NO_COMP | 994 | #ifdef OPENSSL_NO_COMP |
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index fb60cde8ee..c4ef2738d7 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1125 | 0, /* not implemented (non-ephemeral DH) */ | 1125 | 0, /* not implemented (non-ephemeral DH) */ |
1126 | TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, | 1126 | TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, |
1127 | TLS1_CK_DH_DSS_WITH_AES_128_SHA256, | 1127 | TLS1_CK_DH_DSS_WITH_AES_128_SHA256, |
1128 | SSL_kDHr, | 1128 | SSL_kDHd, |
1129 | SSL_aDH, | 1129 | SSL_aDH, |
1130 | SSL_AES128, | 1130 | SSL_AES128, |
1131 | SSL_SHA256, | 1131 | SSL_SHA256, |
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1407 | 0, /* not implemented (non-ephemeral DH) */ | 1407 | 0, /* not implemented (non-ephemeral DH) */ |
1408 | TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, | 1408 | TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, |
1409 | TLS1_CK_DH_DSS_WITH_AES_256_SHA256, | 1409 | TLS1_CK_DH_DSS_WITH_AES_256_SHA256, |
1410 | SSL_kDHr, | 1410 | SSL_kDHd, |
1411 | SSL_aDH, | 1411 | SSL_aDH, |
1412 | SSL_AES256, | 1412 | SSL_AES256, |
1413 | SSL_SHA256, | 1413 | SSL_SHA256, |
@@ -1683,7 +1683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1683 | SSL_3DES, | 1683 | SSL_3DES, |
1684 | SSL_SHA1, | 1684 | SSL_SHA1, |
1685 | SSL_TLSV1, | 1685 | SSL_TLSV1, |
1686 | SSL_NOT_EXP|SSL_HIGH, | 1686 | SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, |
1687 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | 1687 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, |
1688 | 168, | 1688 | 168, |
1689 | 168, | 1689 | 168, |
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1699 | SSL_AES128, | 1699 | SSL_AES128, |
1700 | SSL_SHA1, | 1700 | SSL_SHA1, |
1701 | SSL_TLSV1, | 1701 | SSL_TLSV1, |
1702 | SSL_NOT_EXP|SSL_HIGH, | 1702 | SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, |
1703 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | 1703 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, |
1704 | 128, | 1704 | 128, |
1705 | 128, | 1705 | 128, |
@@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1715 | SSL_AES256, | 1715 | SSL_AES256, |
1716 | SSL_SHA1, | 1716 | SSL_SHA1, |
1717 | SSL_TLSV1, | 1717 | SSL_TLSV1, |
1718 | SSL_NOT_EXP|SSL_HIGH, | 1718 | SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, |
1719 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, | 1719 | SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, |
1720 | 256, | 1720 | 256, |
1721 | 256, | 1721 | 256, |
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1958 | 0, | 1958 | 0, |
1959 | TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, | 1959 | TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, |
1960 | TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, | 1960 | TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, |
1961 | SSL_kDHr, | 1961 | SSL_kDHd, |
1962 | SSL_aDH, | 1962 | SSL_aDH, |
1963 | SSL_AES128GCM, | 1963 | SSL_AES128GCM, |
1964 | SSL_AEAD, | 1964 | SSL_AEAD, |
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
1974 | 0, | 1974 | 0, |
1975 | TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, | 1975 | TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, |
1976 | TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, | 1976 | TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, |
1977 | SSL_kDHr, | 1977 | SSL_kDHd, |
1978 | SSL_aDH, | 1978 | SSL_aDH, |
1979 | SSL_AES256GCM, | 1979 | SSL_AES256GCM, |
1980 | SSL_AEAD, | 1980 | SSL_AEAD, |
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
2669 | 1, | 2669 | 1, |
2670 | TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, | 2670 | TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, |
2671 | TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, | 2671 | TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, |
2672 | SSL_kECDHe, | 2672 | SSL_kECDHr, |
2673 | SSL_aECDH, | 2673 | SSL_aECDH, |
2674 | SSL_AES128, | 2674 | SSL_AES128, |
2675 | SSL_SHA256, | 2675 | SSL_SHA256, |
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
2685 | 1, | 2685 | 1, |
2686 | TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, | 2686 | TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, |
2687 | TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, | 2687 | TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, |
2688 | SSL_kECDHe, | 2688 | SSL_kECDHr, |
2689 | SSL_aECDH, | 2689 | SSL_aECDH, |
2690 | SSL_AES256, | 2690 | SSL_AES256, |
2691 | SSL_SHA384, | 2691 | SSL_SHA384, |
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
2799 | 1, | 2799 | 1, |
2800 | TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, | 2800 | TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, |
2801 | TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, | 2801 | TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, |
2802 | SSL_kECDHe, | 2802 | SSL_kECDHr, |
2803 | SSL_aECDH, | 2803 | SSL_aECDH, |
2804 | SSL_AES128GCM, | 2804 | SSL_AES128GCM, |
2805 | SSL_AEAD, | 2805 | SSL_AEAD, |
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ | |||
2815 | 1, | 2815 | 1, |
2816 | TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, | 2816 | TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, |
2817 | TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, | 2817 | TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, |
2818 | SSL_kECDHe, | 2818 | SSL_kECDHr, |
2819 | SSL_aECDH, | 2819 | SSL_aECDH, |
2820 | SSL_AES256GCM, | 2820 | SSL_AES256GCM, |
2821 | SSL_AEAD, | 2821 | SSL_AEAD, |
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s) | |||
3037 | s->s3->tmp.ecdh = NULL; | 3037 | s->s3->tmp.ecdh = NULL; |
3038 | } | 3038 | } |
3039 | #endif | 3039 | #endif |
3040 | #ifndef OPENSSL_NO_TLSEXT | ||
3041 | #ifndef OPENSSL_NO_EC | ||
3042 | s->s3->is_probably_safari = 0; | ||
3043 | #endif /* !OPENSSL_NO_EC */ | ||
3044 | #endif /* !OPENSSL_NO_TLSEXT */ | ||
3040 | 3045 | ||
3041 | rp = s->s3->rbuf.buf; | 3046 | rp = s->s3->rbuf.buf; |
3042 | wp = s->s3->wbuf.buf; | 3047 | wp = s->s3->wbuf.buf; |
@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, | |||
4016 | ii=sk_SSL_CIPHER_find(allow,c); | 4021 | ii=sk_SSL_CIPHER_find(allow,c); |
4017 | if (ii >= 0) | 4022 | if (ii >= 0) |
4018 | { | 4023 | { |
4024 | #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) | ||
4025 | if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) | ||
4026 | { | ||
4027 | if (!ret) ret=sk_SSL_CIPHER_value(allow,ii); | ||
4028 | continue; | ||
4029 | } | ||
4030 | #endif | ||
4019 | ret=sk_SSL_CIPHER_value(allow,ii); | 4031 | ret=sk_SSL_CIPHER_value(allow,ii); |
4020 | break; | 4032 | break; |
4021 | } | 4033 | } |
@@ -4274,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. | |||
4274 | long ssl_get_algorithm2(SSL *s) | 4286 | long ssl_get_algorithm2(SSL *s) |
4275 | { | 4287 | { |
4276 | long alg2 = s->s3->tmp.new_cipher->algorithm2; | 4288 | long alg2 = s->s3->tmp.new_cipher->algorithm2; |
4277 | if (TLS1_get_version(s) >= TLS1_2_VERSION && | 4289 | if (s->method->version == TLS1_2_VERSION && |
4278 | alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) | 4290 | alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) |
4279 | return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; | 4291 | return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; |
4280 | return alg2; | 4292 | return alg2; |
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index adf8c387cc..96ba63262e 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c | |||
@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s) | |||
290 | unsigned char *p; | 290 | unsigned char *p; |
291 | unsigned char md[EVP_MAX_MD_SIZE]; | 291 | unsigned char md[EVP_MAX_MD_SIZE]; |
292 | short version; | 292 | short version; |
293 | int mac_size; | 293 | unsigned mac_size, orig_len; |
294 | int clear=0; | ||
295 | size_t extra; | 294 | size_t extra; |
296 | int decryption_failed_or_bad_record_mac = 0; | ||
297 | unsigned char *mac = NULL; | ||
298 | 295 | ||
299 | rr= &(s->s3->rrec); | 296 | rr= &(s->s3->rrec); |
300 | sess=s->session; | 297 | sess=s->session; |
@@ -338,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); | |||
338 | if (version != s->version) | 335 | if (version != s->version) |
339 | { | 336 | { |
340 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); | 337 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
341 | if ((s->version & 0xFF00) == (version & 0xFF00)) | 338 | if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) |
342 | /* Send back error using their minor version number :-) */ | 339 | /* Send back error using their minor version number :-) */ |
343 | s->version = (unsigned short)version; | 340 | s->version = (unsigned short)version; |
344 | al=SSL_AD_PROTOCOL_VERSION; | 341 | al=SSL_AD_PROTOCOL_VERSION; |
@@ -403,17 +400,15 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); | |||
403 | rr->data=rr->input; | 400 | rr->data=rr->input; |
404 | 401 | ||
405 | enc_err = s->method->ssl3_enc->enc(s,0); | 402 | enc_err = s->method->ssl3_enc->enc(s,0); |
406 | if (enc_err <= 0) | 403 | /* enc_err is: |
404 | * 0: (in non-constant time) if the record is publically invalid. | ||
405 | * 1: if the padding is valid | ||
406 | * -1: if the padding is invalid */ | ||
407 | if (enc_err == 0) | ||
407 | { | 408 | { |
408 | if (enc_err == 0) | 409 | al=SSL_AD_DECRYPTION_FAILED; |
409 | /* SSLerr() and ssl3_send_alert() have been called */ | 410 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); |
410 | goto err; | 411 | goto f_err; |
411 | |||
412 | /* Otherwise enc_err == -1, which indicates bad padding | ||
413 | * (rec->length has not been changed in this case). | ||
414 | * To minimize information leaked via timing, we will perform | ||
415 | * the MAC computation anyway. */ | ||
416 | decryption_failed_or_bad_record_mac = 1; | ||
417 | } | 412 | } |
418 | 413 | ||
419 | #ifdef TLS_DEBUG | 414 | #ifdef TLS_DEBUG |
@@ -423,53 +418,62 @@ printf("\n"); | |||
423 | #endif | 418 | #endif |
424 | 419 | ||
425 | /* r->length is now the compressed data plus mac */ | 420 | /* r->length is now the compressed data plus mac */ |
426 | if ( (sess == NULL) || | 421 | if ((sess != NULL) && |
427 | (s->enc_read_ctx == NULL) || | 422 | (s->enc_read_ctx != NULL) && |
428 | (EVP_MD_CTX_md(s->read_hash) == NULL)) | 423 | (EVP_MD_CTX_md(s->read_hash) != NULL)) |
429 | clear=1; | ||
430 | |||
431 | if (!clear) | ||
432 | { | 424 | { |
433 | /* !clear => s->read_hash != NULL => mac_size != -1 */ | 425 | /* s->read_hash != NULL => mac_size != -1 */ |
426 | unsigned char *mac = NULL; | ||
427 | unsigned char mac_tmp[EVP_MAX_MD_SIZE]; | ||
434 | mac_size=EVP_MD_CTX_size(s->read_hash); | 428 | mac_size=EVP_MD_CTX_size(s->read_hash); |
435 | OPENSSL_assert(mac_size >= 0); | 429 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
436 | 430 | ||
437 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) | 431 | /* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
432 | orig_len = rr->length+((unsigned int)rr->type>>8); | ||
433 | |||
434 | /* orig_len is the length of the record before any padding was | ||
435 | * removed. This is public information, as is the MAC in use, | ||
436 | * therefore we can safely process the record in a different | ||
437 | * amount of time if it's too short to possibly contain a MAC. | ||
438 | */ | ||
439 | if (orig_len < mac_size || | ||
440 | /* CBC records must have a padding length byte too. */ | ||
441 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && | ||
442 | orig_len < mac_size+1)) | ||
438 | { | 443 | { |
439 | #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ | 444 | al=SSL_AD_DECODE_ERROR; |
440 | al=SSL_AD_RECORD_OVERFLOW; | 445 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); |
441 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); | ||
442 | goto f_err; | 446 | goto f_err; |
443 | #else | ||
444 | decryption_failed_or_bad_record_mac = 1; | ||
445 | #endif | ||
446 | } | 447 | } |
447 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | 448 | |
448 | if (rr->length >= (unsigned int)mac_size) | 449 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) |
449 | { | 450 | { |
451 | /* We update the length so that the TLS header bytes | ||
452 | * can be constructed correctly but we need to extract | ||
453 | * the MAC in constant time from within the record, | ||
454 | * without leaking the contents of the padding bytes. | ||
455 | * */ | ||
456 | mac = mac_tmp; | ||
457 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); | ||
450 | rr->length -= mac_size; | 458 | rr->length -= mac_size; |
451 | mac = &rr->data[rr->length]; | ||
452 | } | 459 | } |
453 | else | 460 | else |
454 | { | 461 | { |
455 | /* record (minus padding) is too short to contain a MAC */ | 462 | /* In this case there's no padding, so |orig_len| |
456 | #if 0 /* OK only for stream ciphers */ | 463 | * equals |rec->length| and we checked that there's |
457 | al=SSL_AD_DECODE_ERROR; | 464 | * enough bytes for |mac_size| above. */ |
458 | SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); | 465 | rr->length -= mac_size; |
459 | goto f_err; | 466 | mac = &rr->data[rr->length]; |
460 | #else | ||
461 | decryption_failed_or_bad_record_mac = 1; | ||
462 | rr->length = 0; | ||
463 | #endif | ||
464 | } | ||
465 | i=s->method->ssl3_enc->mac(s,md,0); | ||
466 | if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0) | ||
467 | { | ||
468 | decryption_failed_or_bad_record_mac = 1; | ||
469 | } | 467 | } |
468 | |||
469 | i=s->method->ssl3_enc->mac(s,md,0 /* not send */); | ||
470 | if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) | ||
471 | enc_err = -1; | ||
472 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) | ||
473 | enc_err = -1; | ||
470 | } | 474 | } |
471 | 475 | ||
472 | if (decryption_failed_or_bad_record_mac) | 476 | if (enc_err < 0) |
473 | { | 477 | { |
474 | /* A separate 'decryption_failed' alert was introduced with TLS 1.0, | 478 | /* A separate 'decryption_failed' alert was introduced with TLS 1.0, |
475 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | 479 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption |
@@ -744,6 +748,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, | |||
744 | * bytes and record version number > TLS 1.0 | 748 | * bytes and record version number > TLS 1.0 |
745 | */ | 749 | */ |
746 | if (s->state == SSL3_ST_CW_CLNT_HELLO_B | 750 | if (s->state == SSL3_ST_CW_CLNT_HELLO_B |
751 | && !s->renegotiate | ||
747 | && TLS1_get_version(s) > TLS1_VERSION) | 752 | && TLS1_get_version(s) > TLS1_VERSION) |
748 | *(p++) = 0x1; | 753 | *(p++) = 0x1; |
749 | else | 754 | else |
@@ -1238,7 +1243,7 @@ start: | |||
1238 | goto f_err; | 1243 | goto f_err; |
1239 | } | 1244 | } |
1240 | #ifdef SSL_AD_MISSING_SRP_USERNAME | 1245 | #ifdef SSL_AD_MISSING_SRP_USERNAME |
1241 | if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) | 1246 | else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) |
1242 | return(0); | 1247 | return(0); |
1243 | #endif | 1248 | #endif |
1244 | } | 1249 | } |
@@ -1454,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) | |||
1454 | slen=s->method->ssl3_enc->client_finished_label_len; | 1459 | slen=s->method->ssl3_enc->client_finished_label_len; |
1455 | } | 1460 | } |
1456 | 1461 | ||
1457 | s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, | 1462 | i = s->method->ssl3_enc->final_finish_mac(s, |
1458 | sender,slen,s->s3->tmp.peer_finish_md); | 1463 | sender,slen,s->s3->tmp.peer_finish_md); |
1464 | if (i == 0) | ||
1465 | { | ||
1466 | SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); | ||
1467 | return 0; | ||
1468 | } | ||
1469 | s->s3->tmp.peer_finish_md_len = i; | ||
1459 | 1470 | ||
1460 | return(1); | 1471 | return(1); |
1461 | } | 1472 | } |
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 118939fabb..9ac19c05f2 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
@@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) | |||
191 | { | 191 | { |
192 | if(s->srp_ctx.login == NULL) | 192 | if(s->srp_ctx.login == NULL) |
193 | { | 193 | { |
194 | /* There isn't any srp login extension !!! */ | 194 | /* RFC 5054 says SHOULD reject, |
195 | we do so if There is no srp login name */ | ||
195 | ret = SSL3_AL_FATAL; | 196 | ret = SSL3_AL_FATAL; |
196 | *al = SSL_AD_UNKNOWN_PSK_IDENTITY; | 197 | *al = SSL_AD_UNKNOWN_PSK_IDENTITY; |
197 | } | 198 | } |
@@ -378,6 +379,7 @@ int ssl3_accept(SSL *s) | |||
378 | } | 379 | } |
379 | } | 380 | } |
380 | #endif | 381 | #endif |
382 | |||
381 | s->renegotiate = 2; | 383 | s->renegotiate = 2; |
382 | s->state=SSL3_ST_SW_SRVR_HELLO_A; | 384 | s->state=SSL3_ST_SW_SRVR_HELLO_A; |
383 | s->init_num=0; | 385 | s->init_num=0; |
@@ -956,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) | |||
956 | (s->version != DTLS1_VERSION && s->client_version < s->version)) | 958 | (s->version != DTLS1_VERSION && s->client_version < s->version)) |
957 | { | 959 | { |
958 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); | 960 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); |
959 | if ((s->client_version>>8) == SSL3_VERSION_MAJOR) | 961 | if ((s->client_version>>8) == SSL3_VERSION_MAJOR && |
962 | !s->enc_write_ctx && !s->write_hash) | ||
960 | { | 963 | { |
961 | /* similar to ssl3_get_record, send alert using remote version number */ | 964 | /* similar to ssl3_get_record, send alert using remote version number */ |
962 | s->version = s->client_version; | 965 | s->version = s->client_version; |
@@ -1181,7 +1184,7 @@ int ssl3_get_client_hello(SSL *s) | |||
1181 | goto f_err; | 1184 | goto f_err; |
1182 | } | 1185 | } |
1183 | } | 1186 | } |
1184 | if (ssl_check_clienthello_tlsext(s) <= 0) { | 1187 | if (ssl_check_clienthello_tlsext_early(s) <= 0) { |
1185 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); | 1188 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); |
1186 | goto err; | 1189 | goto err; |
1187 | } | 1190 | } |
@@ -1191,12 +1194,9 @@ int ssl3_get_client_hello(SSL *s) | |||
1191 | * server_random before calling tls_session_secret_cb in order to allow | 1194 | * server_random before calling tls_session_secret_cb in order to allow |
1192 | * SessionTicket processing to use it in key derivation. */ | 1195 | * SessionTicket processing to use it in key derivation. */ |
1193 | { | 1196 | { |
1194 | unsigned long Time; | ||
1195 | unsigned char *pos; | 1197 | unsigned char *pos; |
1196 | Time=(unsigned long)time(NULL); /* Time */ | ||
1197 | pos=s->s3->server_random; | 1198 | pos=s->s3->server_random; |
1198 | l2n(Time,pos); | 1199 | if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) |
1199 | if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) | ||
1200 | { | 1200 | { |
1201 | al=SSL_AD_INTERNAL_ERROR; | 1201 | al=SSL_AD_INTERNAL_ERROR; |
1202 | goto f_err; | 1202 | goto f_err; |
@@ -1389,7 +1389,10 @@ int ssl3_get_client_hello(SSL *s) | |||
1389 | if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) | 1389 | if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) |
1390 | { | 1390 | { |
1391 | if (!ssl3_digest_cached_records(s)) | 1391 | if (!ssl3_digest_cached_records(s)) |
1392 | { | ||
1393 | al = SSL_AD_INTERNAL_ERROR; | ||
1392 | goto f_err; | 1394 | goto f_err; |
1395 | } | ||
1393 | } | 1396 | } |
1394 | 1397 | ||
1395 | /* we now have the following setup. | 1398 | /* we now have the following setup. |
@@ -1403,6 +1406,16 @@ int ssl3_get_client_hello(SSL *s) | |||
1403 | * s->tmp.new_cipher - the new cipher to use. | 1406 | * s->tmp.new_cipher - the new cipher to use. |
1404 | */ | 1407 | */ |
1405 | 1408 | ||
1409 | /* Handles TLS extensions that we couldn't check earlier */ | ||
1410 | if (s->version >= SSL3_VERSION) | ||
1411 | { | ||
1412 | if (ssl_check_clienthello_tlsext_late(s) <= 0) | ||
1413 | { | ||
1414 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); | ||
1415 | goto err; | ||
1416 | } | ||
1417 | } | ||
1418 | |||
1406 | if (ret < 0) ret=1; | 1419 | if (ret < 0) ret=1; |
1407 | if (0) | 1420 | if (0) |
1408 | { | 1421 | { |
@@ -1420,19 +1433,13 @@ int ssl3_send_server_hello(SSL *s) | |||
1420 | unsigned char *p,*d; | 1433 | unsigned char *p,*d; |
1421 | int i,sl; | 1434 | int i,sl; |
1422 | unsigned long l; | 1435 | unsigned long l; |
1423 | #ifdef OPENSSL_NO_TLSEXT | ||
1424 | unsigned long Time; | ||
1425 | #endif | ||
1426 | 1436 | ||
1427 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) | 1437 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) |
1428 | { | 1438 | { |
1429 | buf=(unsigned char *)s->init_buf->data; | 1439 | buf=(unsigned char *)s->init_buf->data; |
1430 | #ifdef OPENSSL_NO_TLSEXT | 1440 | #ifdef OPENSSL_NO_TLSEXT |
1431 | p=s->s3->server_random; | 1441 | p=s->s3->server_random; |
1432 | /* Generate server_random if it was not needed previously */ | 1442 | if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) |
1433 | Time=(unsigned long)time(NULL); /* Time */ | ||
1434 | l2n(Time,p); | ||
1435 | if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) | ||
1436 | return -1; | 1443 | return -1; |
1437 | #endif | 1444 | #endif |
1438 | /* Do the message type and length last */ | 1445 | /* Do the message type and length last */ |
@@ -1823,7 +1830,7 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
1823 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); | 1830 | SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); |
1824 | goto f_err; | 1831 | goto f_err; |
1825 | } | 1832 | } |
1826 | for (i=0; r[i] != NULL && i<4; i++) | 1833 | for (i=0; i < 4 && r[i] != NULL; i++) |
1827 | { | 1834 | { |
1828 | nr[i]=BN_num_bytes(r[i]); | 1835 | nr[i]=BN_num_bytes(r[i]); |
1829 | #ifndef OPENSSL_NO_SRP | 1836 | #ifndef OPENSSL_NO_SRP |
@@ -1859,7 +1866,7 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
1859 | d=(unsigned char *)s->init_buf->data; | 1866 | d=(unsigned char *)s->init_buf->data; |
1860 | p= &(d[4]); | 1867 | p= &(d[4]); |
1861 | 1868 | ||
1862 | for (i=0; r[i] != NULL && i<4; i++) | 1869 | for (i=0; i < 4 && r[i] != NULL; i++) |
1863 | { | 1870 | { |
1864 | #ifndef OPENSSL_NO_SRP | 1871 | #ifndef OPENSSL_NO_SRP |
1865 | if ((i == 2) && (type & SSL_kSRP)) | 1872 | if ((i == 2) && (type & SSL_kSRP)) |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 8b0c2a2dac..7219a0e64b 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
@@ -493,6 +493,9 @@ struct ssl_session_st | |||
493 | char *psk_identity_hint; | 493 | char *psk_identity_hint; |
494 | char *psk_identity; | 494 | char *psk_identity; |
495 | #endif | 495 | #endif |
496 | /* Used to indicate that session resumption is not allowed. | ||
497 | * Applications can also set this bit for a new session via | ||
498 | * not_resumable_session_cb to disable session caching and tickets. */ | ||
496 | int not_resumable; | 499 | int not_resumable; |
497 | 500 | ||
498 | /* The cert is the certificate used to establish this connection */ | 501 | /* The cert is the certificate used to establish this connection */ |
@@ -535,7 +538,7 @@ struct ssl_session_st | |||
535 | #endif /* OPENSSL_NO_EC */ | 538 | #endif /* OPENSSL_NO_EC */ |
536 | /* RFC4507 info */ | 539 | /* RFC4507 info */ |
537 | unsigned char *tlsext_tick; /* Session ticket */ | 540 | unsigned char *tlsext_tick; /* Session ticket */ |
538 | size_t tlsext_ticklen; /* Session ticket length */ | 541 | size_t tlsext_ticklen; /* Session ticket length */ |
539 | long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ | 542 | long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ |
540 | #endif | 543 | #endif |
541 | #ifndef OPENSSL_NO_SRP | 544 | #ifndef OPENSSL_NO_SRP |
@@ -552,11 +555,14 @@ struct ssl_session_st | |||
552 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L | 555 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L |
553 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L | 556 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L |
554 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L | 557 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L |
555 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ | 558 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L |
556 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L | 559 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L |
557 | #define SSL_OP_TLS_D5_BUG 0x00000100L | 560 | #define SSL_OP_TLS_D5_BUG 0x00000100L |
558 | #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L | 561 | #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L |
559 | 562 | ||
563 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ | ||
564 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 | ||
565 | |||
560 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added | 566 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added |
561 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) | 567 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) |
562 | * the workaround is not needed. Unfortunately some broken SSL/TLS | 568 | * the workaround is not needed. Unfortunately some broken SSL/TLS |
@@ -638,6 +644,12 @@ struct ssl_session_st | |||
638 | * TLS only.) "Released" buffers are put onto a free-list in the context | 644 | * TLS only.) "Released" buffers are put onto a free-list in the context |
639 | * or just freed (depending on the context's setting for freelist_max_len). */ | 645 | * or just freed (depending on the context's setting for freelist_max_len). */ |
640 | #define SSL_MODE_RELEASE_BUFFERS 0x00000010L | 646 | #define SSL_MODE_RELEASE_BUFFERS 0x00000010L |
647 | /* Send the current time in the Random fields of the ClientHello and | ||
648 | * ServerHello records for compatibility with hypothetical implementations | ||
649 | * that require it. | ||
650 | */ | ||
651 | #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L | ||
652 | #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L | ||
641 | 653 | ||
642 | /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, | 654 | /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, |
643 | * they cannot be used to clear bits. */ | 655 | * they cannot be used to clear bits. */ |
@@ -903,7 +915,7 @@ struct ssl_ctx_st | |||
903 | */ | 915 | */ |
904 | unsigned int max_send_fragment; | 916 | unsigned int max_send_fragment; |
905 | 917 | ||
906 | #ifndef OPENSSL_ENGINE | 918 | #ifndef OPENSSL_NO_ENGINE |
907 | /* Engine to pass requests for client certs to | 919 | /* Engine to pass requests for client certs to |
908 | */ | 920 | */ |
909 | ENGINE *client_cert_engine; | 921 | ENGINE *client_cert_engine; |
@@ -927,6 +939,7 @@ struct ssl_ctx_st | |||
927 | /* Callback for status request */ | 939 | /* Callback for status request */ |
928 | int (*tlsext_status_cb)(SSL *ssl, void *arg); | 940 | int (*tlsext_status_cb)(SSL *ssl, void *arg); |
929 | void *tlsext_status_arg; | 941 | void *tlsext_status_arg; |
942 | |||
930 | /* draft-rescorla-tls-opaque-prf-input-00.txt information */ | 943 | /* draft-rescorla-tls-opaque-prf-input-00.txt information */ |
931 | int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); | 944 | int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); |
932 | void *tlsext_opaque_prf_input_callback_arg; | 945 | void *tlsext_opaque_prf_input_callback_arg; |
@@ -952,6 +965,7 @@ struct ssl_ctx_st | |||
952 | #endif | 965 | #endif |
953 | 966 | ||
954 | #ifndef OPENSSL_NO_TLSEXT | 967 | #ifndef OPENSSL_NO_TLSEXT |
968 | |||
955 | # ifndef OPENSSL_NO_NEXTPROTONEG | 969 | # ifndef OPENSSL_NO_NEXTPROTONEG |
956 | /* Next protocol negotiation information */ | 970 | /* Next protocol negotiation information */ |
957 | /* (for experimental NPN extension). */ | 971 | /* (for experimental NPN extension). */ |
@@ -2206,6 +2220,7 @@ void ERR_load_SSL_strings(void); | |||
2206 | #define SSL_F_SSL_GET_NEW_SESSION 181 | 2220 | #define SSL_F_SSL_GET_NEW_SESSION 181 |
2207 | #define SSL_F_SSL_GET_PREV_SESSION 217 | 2221 | #define SSL_F_SSL_GET_PREV_SESSION 217 |
2208 | #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 | 2222 | #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 |
2223 | #define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 | ||
2209 | #define SSL_F_SSL_GET_SIGN_PKEY 183 | 2224 | #define SSL_F_SSL_GET_SIGN_PKEY 183 |
2210 | #define SSL_F_SSL_INIT_WBIO_BUFFER 184 | 2225 | #define SSL_F_SSL_INIT_WBIO_BUFFER 184 |
2211 | #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 | 2226 | #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 |
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h index 112e627de0..cb8b2492ec 100644 --- a/src/lib/libssl/ssl3.h +++ b/src/lib/libssl/ssl3.h | |||
@@ -539,6 +539,15 @@ typedef struct ssl3_state_st | |||
539 | /* Set if we saw the Next Protocol Negotiation extension from our peer. */ | 539 | /* Set if we saw the Next Protocol Negotiation extension from our peer. */ |
540 | int next_proto_neg_seen; | 540 | int next_proto_neg_seen; |
541 | #endif | 541 | #endif |
542 | |||
543 | #ifndef OPENSSL_NO_TLSEXT | ||
544 | #ifndef OPENSSL_NO_EC | ||
545 | /* This is set to true if we believe that this is a version of Safari | ||
546 | * running on OS X 10.6 or newer. We wish to know this because Safari | ||
547 | * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ | ||
548 | char is_probably_safari; | ||
549 | #endif /* !OPENSSL_NO_EC */ | ||
550 | #endif /* !OPENSSL_NO_TLSEXT */ | ||
542 | } SSL3_STATE; | 551 | } SSL3_STATE; |
543 | 552 | ||
544 | #endif | 553 | #endif |
@@ -578,8 +587,10 @@ typedef struct ssl3_state_st | |||
578 | #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) | 587 | #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) |
579 | #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) | 588 | #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) |
580 | #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) | 589 | #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) |
590 | #ifndef OPENSSL_NO_NEXTPROTONEG | ||
581 | #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) | 591 | #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) |
582 | #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) | 592 | #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) |
593 | #endif | ||
583 | #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) | 594 | #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) |
584 | #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) | 595 | #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) |
585 | /* read from server */ | 596 | /* read from server */ |
@@ -629,8 +640,10 @@ typedef struct ssl3_state_st | |||
629 | #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) | 640 | #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) |
630 | #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) | 641 | #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) |
631 | #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) | 642 | #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) |
643 | #ifndef OPENSSL_NO_NEXTPROTONEG | ||
632 | #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) | 644 | #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) |
633 | #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) | 645 | #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) |
646 | #endif | ||
634 | #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) | 647 | #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) |
635 | #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) | 648 | #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) |
636 | /* write to client */ | 649 | /* write to client */ |
@@ -655,7 +668,9 @@ typedef struct ssl3_state_st | |||
655 | #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 | 668 | #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 |
656 | #define SSL3_MT_FINISHED 20 | 669 | #define SSL3_MT_FINISHED 20 |
657 | #define SSL3_MT_CERTIFICATE_STATUS 22 | 670 | #define SSL3_MT_CERTIFICATE_STATUS 22 |
671 | #ifndef OPENSSL_NO_NEXTPROTONEG | ||
658 | #define SSL3_MT_NEXT_PROTO 67 | 672 | #define SSL3_MT_NEXT_PROTO 67 |
673 | #endif | ||
659 | #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 | 674 | #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 |
660 | 675 | ||
661 | 676 | ||
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c index d443143c59..9c34d19725 100644 --- a/src/lib/libssl/ssl_algs.c +++ b/src/lib/libssl/ssl_algs.c | |||
@@ -94,6 +94,7 @@ int SSL_library_init(void) | |||
94 | EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); | 94 | EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); |
95 | EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); | 95 | EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); |
96 | #endif | 96 | #endif |
97 | |||
97 | #endif | 98 | #endif |
98 | #ifndef OPENSSL_NO_CAMELLIA | 99 | #ifndef OPENSSL_NO_CAMELLIA |
99 | EVP_add_cipher(EVP_camellia_128_cbc()); | 100 | EVP_add_cipher(EVP_camellia_128_cbc()); |
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 917be31876..5123a89182 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert) | |||
164 | { | 164 | { |
165 | /* Set digest values to defaults */ | 165 | /* Set digest values to defaults */ |
166 | #ifndef OPENSSL_NO_DSA | 166 | #ifndef OPENSSL_NO_DSA |
167 | cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); | 167 | cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); |
168 | #endif | 168 | #endif |
169 | #ifndef OPENSSL_NO_RSA | 169 | #ifndef OPENSSL_NO_RSA |
170 | cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); | 170 | cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); |
171 | cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); | 171 | cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); |
172 | #endif | 172 | #endif |
173 | #ifndef OPENSSL_NO_ECDSA | 173 | #ifndef OPENSSL_NO_ECDSA |
174 | cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); | 174 | cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); |
175 | #endif | 175 | #endif |
176 | } | 176 | } |
177 | 177 | ||
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 92d1e94d6a..0aba8e048c 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
@@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
312 | {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, | 312 | {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, |
313 | {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, | 313 | {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, |
314 | {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, | 314 | {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, |
315 | {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, | ||
315 | 316 | ||
316 | /* export flag */ | 317 | /* export flag */ |
317 | {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, | 318 | {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, |
@@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
1150 | while ( ((ch >= 'A') && (ch <= 'Z')) || | 1151 | while ( ((ch >= 'A') && (ch <= 'Z')) || |
1151 | ((ch >= '0') && (ch <= '9')) || | 1152 | ((ch >= '0') && (ch <= '9')) || |
1152 | ((ch >= 'a') && (ch <= 'z')) || | 1153 | ((ch >= 'a') && (ch <= 'z')) || |
1153 | (ch == '-')) | 1154 | (ch == '-') || (ch == '.')) |
1154 | #else | 1155 | #else |
1155 | while ( isalnum(ch) || (ch == '-')) | 1156 | while ( isalnum(ch) || (ch == '-') || (ch == '.')) |
1156 | #endif | 1157 | #endif |
1157 | { | 1158 | { |
1158 | ch = *(++l); | 1159 | ch = *(++l); |
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 2577c6895a..370fb57e3b 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c | |||
@@ -228,6 +228,7 @@ static ERR_STRING_DATA SSL_str_functs[]= | |||
228 | {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, | 228 | {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, |
229 | {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, | 229 | {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, |
230 | {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, | 230 | {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, |
231 | {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"}, | ||
231 | {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, | 232 | {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, |
232 | {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, | 233 | {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, |
233 | {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, | 234 | {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f82d071d6e..6dbc3c1f7d 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
@@ -597,8 +597,10 @@ void SSL_free(SSL *s) | |||
597 | OPENSSL_free(s->next_proto_negotiated); | 597 | OPENSSL_free(s->next_proto_negotiated); |
598 | #endif | 598 | #endif |
599 | 599 | ||
600 | #ifndef OPENSSL_NO_SRTP | ||
600 | if (s->srtp_profiles) | 601 | if (s->srtp_profiles) |
601 | sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); | 602 | sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); |
603 | #endif | ||
602 | 604 | ||
603 | OPENSSL_free(s); | 605 | OPENSSL_free(s); |
604 | } | 606 | } |
@@ -1795,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) | |||
1795 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); | 1797 | CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); |
1796 | 1798 | ||
1797 | ret->extra_certs=NULL; | 1799 | ret->extra_certs=NULL; |
1798 | ret->comp_methods=SSL_COMP_get_compression_methods(); | 1800 | /* No compression for DTLS */ |
1801 | if (meth->version != DTLS1_VERSION) | ||
1802 | ret->comp_methods=SSL_COMP_get_compression_methods(); | ||
1799 | 1803 | ||
1800 | ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; | 1804 | ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; |
1801 | 1805 | ||
@@ -1952,8 +1956,10 @@ void SSL_CTX_free(SSL_CTX *a) | |||
1952 | a->comp_methods = NULL; | 1956 | a->comp_methods = NULL; |
1953 | #endif | 1957 | #endif |
1954 | 1958 | ||
1959 | #ifndef OPENSSL_NO_SRTP | ||
1955 | if (a->srtp_profiles) | 1960 | if (a->srtp_profiles) |
1956 | sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); | 1961 | sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); |
1962 | #endif | ||
1957 | 1963 | ||
1958 | #ifndef OPENSSL_NO_PSK | 1964 | #ifndef OPENSSL_NO_PSK |
1959 | if (a->psk_identity_hint) | 1965 | if (a->psk_identity_hint) |
@@ -2287,7 +2293,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | |||
2287 | #endif | 2293 | #endif |
2288 | 2294 | ||
2289 | /* THIS NEEDS CLEANING UP */ | 2295 | /* THIS NEEDS CLEANING UP */ |
2290 | X509 *ssl_get_server_send_cert(SSL *s) | 2296 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) |
2291 | { | 2297 | { |
2292 | unsigned long alg_k,alg_a; | 2298 | unsigned long alg_k,alg_a; |
2293 | CERT *c; | 2299 | CERT *c; |
@@ -2342,12 +2348,20 @@ X509 *ssl_get_server_send_cert(SSL *s) | |||
2342 | i=SSL_PKEY_GOST01; | 2348 | i=SSL_PKEY_GOST01; |
2343 | else /* if (alg_a & SSL_aNULL) */ | 2349 | else /* if (alg_a & SSL_aNULL) */ |
2344 | { | 2350 | { |
2345 | SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); | 2351 | SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR); |
2346 | return(NULL); | 2352 | return(NULL); |
2347 | } | 2353 | } |
2348 | if (c->pkeys[i].x509 == NULL) return(NULL); | ||
2349 | 2354 | ||
2350 | return(c->pkeys[i].x509); | 2355 | return c->pkeys + i; |
2356 | } | ||
2357 | |||
2358 | X509 *ssl_get_server_send_cert(const SSL *s) | ||
2359 | { | ||
2360 | CERT_PKEY *cpk; | ||
2361 | cpk = ssl_get_server_send_pkey(s); | ||
2362 | if (!cpk) | ||
2363 | return NULL; | ||
2364 | return cpk->x509; | ||
2351 | } | 2365 | } |
2352 | 2366 | ||
2353 | EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) | 2367 | EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) |
@@ -2608,7 +2622,7 @@ const char *SSL_get_version(const SSL *s) | |||
2608 | return("TLSv1.2"); | 2622 | return("TLSv1.2"); |
2609 | else if (s->version == TLS1_1_VERSION) | 2623 | else if (s->version == TLS1_1_VERSION) |
2610 | return("TLSv1.1"); | 2624 | return("TLSv1.1"); |
2611 | if (s->version == TLS1_VERSION) | 2625 | else if (s->version == TLS1_VERSION) |
2612 | return("TLSv1"); | 2626 | return("TLSv1"); |
2613 | else if (s->version == SSL3_VERSION) | 2627 | else if (s->version == SSL3_VERSION) |
2614 | return("SSLv3"); | 2628 | return("SSLv3"); |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index d87fd51cfa..e485907748 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
@@ -215,6 +215,15 @@ | |||
215 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ | 215 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
216 | *((c)++)=(unsigned char)(((l) )&0xff)) | 216 | *((c)++)=(unsigned char)(((l) )&0xff)) |
217 | 217 | ||
218 | #define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ | ||
219 | *((c)++)=(unsigned char)(((l)>>48)&0xff), \ | ||
220 | *((c)++)=(unsigned char)(((l)>>40)&0xff), \ | ||
221 | *((c)++)=(unsigned char)(((l)>>32)&0xff), \ | ||
222 | *((c)++)=(unsigned char)(((l)>>24)&0xff), \ | ||
223 | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ | ||
224 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ | ||
225 | *((c)++)=(unsigned char)(((l) )&0xff)) | ||
226 | |||
218 | #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ | 227 | #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ |
219 | l|=((BN_ULLONG)(*((c)++)))<<32, \ | 228 | l|=((BN_ULLONG)(*((c)++)))<<32, \ |
220 | l|=((BN_ULLONG)(*((c)++)))<<24, \ | 229 | l|=((BN_ULLONG)(*((c)++)))<<24, \ |
@@ -612,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; | |||
612 | extern SSL3_ENC_METHOD SSLv3_enc_data; | 621 | extern SSL3_ENC_METHOD SSLv3_enc_data; |
613 | extern SSL3_ENC_METHOD DTLSv1_enc_data; | 622 | extern SSL3_ENC_METHOD DTLSv1_enc_data; |
614 | 623 | ||
624 | #define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) | ||
625 | |||
615 | #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ | 626 | #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ |
616 | s_get_meth) \ | 627 | s_get_meth) \ |
617 | const SSL_METHOD *func_name(void) \ | 628 | const SSL_METHOD *func_name(void) \ |
@@ -830,13 +841,15 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); | |||
830 | int ssl_undefined_function(SSL *s); | 841 | int ssl_undefined_function(SSL *s); |
831 | int ssl_undefined_void_function(void); | 842 | int ssl_undefined_void_function(void); |
832 | int ssl_undefined_const_function(const SSL *s); | 843 | int ssl_undefined_const_function(const SSL *s); |
833 | X509 *ssl_get_server_send_cert(SSL *); | 844 | CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); |
845 | X509 *ssl_get_server_send_cert(const SSL *); | ||
834 | EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); | 846 | EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); |
835 | int ssl_cert_type(X509 *x,EVP_PKEY *pkey); | 847 | int ssl_cert_type(X509 *x,EVP_PKEY *pkey); |
836 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); | 848 | void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); |
837 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); | 849 | STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); |
838 | int ssl_verify_alarm_type(long type); | 850 | int ssl_verify_alarm_type(long type); |
839 | void ssl_load_ciphers(void); | 851 | void ssl_load_ciphers(void); |
852 | int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); | ||
840 | 853 | ||
841 | int ssl2_enc_init(SSL *s, int client); | 854 | int ssl2_enc_init(SSL *s, int client); |
842 | int ssl2_generate_key_material(SSL *s); | 855 | int ssl2_generate_key_material(SSL *s); |
@@ -1088,7 +1101,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, | |||
1088 | int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); | 1101 | int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); |
1089 | int ssl_prepare_clienthello_tlsext(SSL *s); | 1102 | int ssl_prepare_clienthello_tlsext(SSL *s); |
1090 | int ssl_prepare_serverhello_tlsext(SSL *s); | 1103 | int ssl_prepare_serverhello_tlsext(SSL *s); |
1091 | int ssl_check_clienthello_tlsext(SSL *s); | 1104 | int ssl_check_clienthello_tlsext_early(SSL *s); |
1105 | int ssl_check_clienthello_tlsext_late(SSL *s); | ||
1092 | int ssl_check_serverhello_tlsext(SSL *s); | 1106 | int ssl_check_serverhello_tlsext(SSL *s); |
1093 | 1107 | ||
1094 | #ifndef OPENSSL_NO_HEARTBEATS | 1108 | #ifndef OPENSSL_NO_HEARTBEATS |
@@ -1131,4 +1145,33 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al | |||
1131 | int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); | 1145 | int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); |
1132 | int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); | 1146 | int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); |
1133 | 1147 | ||
1148 | /* s3_cbc.c */ | ||
1149 | void ssl3_cbc_copy_mac(unsigned char* out, | ||
1150 | const SSL3_RECORD *rec, | ||
1151 | unsigned md_size,unsigned orig_len); | ||
1152 | int ssl3_cbc_remove_padding(const SSL* s, | ||
1153 | SSL3_RECORD *rec, | ||
1154 | unsigned block_size, | ||
1155 | unsigned mac_size); | ||
1156 | int tls1_cbc_remove_padding(const SSL* s, | ||
1157 | SSL3_RECORD *rec, | ||
1158 | unsigned block_size, | ||
1159 | unsigned mac_size); | ||
1160 | char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); | ||
1161 | void ssl3_cbc_digest_record( | ||
1162 | const EVP_MD_CTX *ctx, | ||
1163 | unsigned char* md_out, | ||
1164 | size_t* md_out_size, | ||
1165 | const unsigned char header[13], | ||
1166 | const unsigned char *data, | ||
1167 | size_t data_plus_mac_size, | ||
1168 | size_t data_plus_mac_plus_padding_size, | ||
1169 | const unsigned char *mac_secret, | ||
1170 | unsigned mac_secret_length, | ||
1171 | char is_sslv3); | ||
1172 | |||
1173 | void tls_fips_digest_extra( | ||
1174 | const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, | ||
1175 | const unsigned char *data, size_t data_len, size_t orig_len); | ||
1176 | |||
1134 | #endif | 1177 | #endif |
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index c0960b5712..60e7b66859 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c | |||
@@ -710,7 +710,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
710 | 710 | ||
711 | ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ | 711 | ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ |
712 | 712 | ||
713 | in=BIO_new(BIO_s_file_internal()); | 713 | in = BIO_new(BIO_s_file_internal()); |
714 | if (in == NULL) | 714 | if (in == NULL) |
715 | { | 715 | { |
716 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); | 716 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); |
@@ -723,14 +723,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
723 | goto end; | 723 | goto end; |
724 | } | 724 | } |
725 | 725 | ||
726 | x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); | 726 | x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback, |
727 | ctx->default_passwd_callback_userdata); | ||
727 | if (x == NULL) | 728 | if (x == NULL) |
728 | { | 729 | { |
729 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); | 730 | SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); |
730 | goto end; | 731 | goto end; |
731 | } | 732 | } |
732 | 733 | ||
733 | ret=SSL_CTX_use_certificate(ctx,x); | 734 | ret = SSL_CTX_use_certificate(ctx, x); |
735 | |||
734 | if (ERR_peek_error() != 0) | 736 | if (ERR_peek_error() != 0) |
735 | ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ | 737 | ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ |
736 | if (ret) | 738 | if (ret) |
@@ -742,13 +744,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) | |||
742 | int r; | 744 | int r; |
743 | unsigned long err; | 745 | unsigned long err; |
744 | 746 | ||
745 | if (ctx->extra_certs != NULL) | 747 | if (ctx->extra_certs != NULL) |
746 | { | 748 | { |
747 | sk_X509_pop_free(ctx->extra_certs, X509_free); | 749 | sk_X509_pop_free(ctx->extra_certs, X509_free); |
748 | ctx->extra_certs = NULL; | 750 | ctx->extra_certs = NULL; |
749 | } | 751 | } |
750 | 752 | ||
751 | while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) | 753 | while ((ca = PEM_read_bio_X509(in, NULL, |
754 | ctx->default_passwd_callback, | ||
755 | ctx->default_passwd_callback_userdata)) | ||
752 | != NULL) | 756 | != NULL) |
753 | { | 757 | { |
754 | r = SSL_CTX_add_extra_chain_cert(ctx, ca); | 758 | r = SSL_CTX_add_extra_chain_cert(ctx, ca); |
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index f7bdeb3b9d..0c4cddedf8 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
@@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which) | |||
361 | { | 361 | { |
362 | int i; | 362 | int i; |
363 | for (i=0; i<s->s3->tmp.key_block_length; i++) | 363 | for (i=0; i<s->s3->tmp.key_block_length; i++) |
364 | printf("%02x", key_block[i]); printf("\n"); | 364 | printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); |
365 | } | 365 | } |
366 | #endif /* KSSL_DEBUG */ | 366 | #endif /* KSSL_DEBUG */ |
367 | 367 | ||
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) | |||
414 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; | 414 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; |
415 | else | 415 | else |
416 | s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; | 416 | s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; |
417 | if (s->enc_write_ctx != NULL) | 417 | if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) |
418 | reuse_dd = 1; | 418 | reuse_dd = 1; |
419 | else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) | 419 | else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) |
420 | goto err; | 420 | goto err; |
421 | else | ||
422 | /* make sure it's intialized in case we exit later with an error */ | ||
423 | EVP_CIPHER_CTX_init(s->enc_write_ctx); | ||
424 | dd= s->enc_write_ctx; | 421 | dd= s->enc_write_ctx; |
425 | mac_ctx = ssl_replace_hash(&s->write_hash,NULL); | 422 | if (SSL_IS_DTLS(s)) |
423 | { | ||
424 | mac_ctx = EVP_MD_CTX_create(); | ||
425 | if (!mac_ctx) | ||
426 | goto err; | ||
427 | s->write_hash = mac_ctx; | ||
428 | } | ||
429 | else | ||
430 | mac_ctx = ssl_replace_hash(&s->write_hash,NULL); | ||
426 | #ifndef OPENSSL_NO_COMP | 431 | #ifndef OPENSSL_NO_COMP |
427 | if (s->compress != NULL) | 432 | if (s->compress != NULL) |
428 | { | 433 | { |
@@ -667,12 +672,21 @@ err: | |||
667 | return(ret); | 672 | return(ret); |
668 | } | 673 | } |
669 | 674 | ||
675 | /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | ||
676 | * | ||
677 | * Returns: | ||
678 | * 0: (in non-constant time) if the record is publically invalid (i.e. too | ||
679 | * short etc). | ||
680 | * 1: if the record's padding is valid / the encryption was successful. | ||
681 | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, | ||
682 | * an internal error occured. | ||
683 | */ | ||
670 | int tls1_enc(SSL *s, int send) | 684 | int tls1_enc(SSL *s, int send) |
671 | { | 685 | { |
672 | SSL3_RECORD *rec; | 686 | SSL3_RECORD *rec; |
673 | EVP_CIPHER_CTX *ds; | 687 | EVP_CIPHER_CTX *ds; |
674 | unsigned long l; | 688 | unsigned long l; |
675 | int bs,i,ii,j,k,pad=0; | 689 | int bs,i,j,k,pad=0,ret,mac_size=0; |
676 | const EVP_CIPHER *enc; | 690 | const EVP_CIPHER *enc; |
677 | 691 | ||
678 | if (send) | 692 | if (send) |
@@ -729,11 +743,11 @@ int tls1_enc(SSL *s, int send) | |||
729 | printf("tls1_enc(%d)\n", send); | 743 | printf("tls1_enc(%d)\n", send); |
730 | #endif /* KSSL_DEBUG */ | 744 | #endif /* KSSL_DEBUG */ |
731 | 745 | ||
732 | if ((s->session == NULL) || (ds == NULL) || | 746 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) |
733 | (enc == NULL)) | ||
734 | { | 747 | { |
735 | memmove(rec->data,rec->input,rec->length); | 748 | memmove(rec->data,rec->input,rec->length); |
736 | rec->input=rec->data; | 749 | rec->input=rec->data; |
750 | ret = 1; | ||
737 | } | 751 | } |
738 | else | 752 | else |
739 | { | 753 | { |
@@ -797,13 +811,13 @@ int tls1_enc(SSL *s, int send) | |||
797 | 811 | ||
798 | #ifdef KSSL_DEBUG | 812 | #ifdef KSSL_DEBUG |
799 | { | 813 | { |
800 | unsigned long ui; | 814 | unsigned long ui; |
801 | printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", | 815 | printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", |
802 | ds,rec->data,rec->input,l); | 816 | ds,rec->data,rec->input,l); |
803 | printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", | 817 | printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", |
804 | ds->buf_len, ds->cipher->key_len, | 818 | ds->buf_len, ds->cipher->key_len, |
805 | DES_KEY_SZ, DES_SCHEDULE_SZ, | 819 | DES_KEY_SZ, DES_SCHEDULE_SZ, |
806 | ds->cipher->iv_len); | 820 | ds->cipher->iv_len); |
807 | printf("\t\tIV: "); | 821 | printf("\t\tIV: "); |
808 | for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); | 822 | for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); |
809 | printf("\n"); | 823 | printf("\n"); |
@@ -816,13 +830,7 @@ int tls1_enc(SSL *s, int send) | |||
816 | if (!send) | 830 | if (!send) |
817 | { | 831 | { |
818 | if (l == 0 || l%bs != 0) | 832 | if (l == 0 || l%bs != 0) |
819 | { | ||
820 | if (s->version >= TLS1_1_VERSION) | ||
821 | return -1; | ||
822 | SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); | ||
823 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); | ||
824 | return 0; | 833 | return 0; |
825 | } | ||
826 | } | 834 | } |
827 | 835 | ||
828 | i = EVP_Cipher(ds,rec->data,rec->input,l); | 836 | i = EVP_Cipher(ds,rec->data,rec->input,l); |
@@ -839,68 +847,24 @@ int tls1_enc(SSL *s, int send) | |||
839 | 847 | ||
840 | #ifdef KSSL_DEBUG | 848 | #ifdef KSSL_DEBUG |
841 | { | 849 | { |
842 | unsigned long i; | 850 | unsigned long i; |
843 | printf("\trec->data="); | 851 | printf("\trec->data="); |
844 | for (i=0; i<l; i++) | 852 | for (i=0; i<l; i++) |
845 | printf(" %02x", rec->data[i]); printf("\n"); | 853 | printf(" %02x", rec->data[i]); printf("\n"); |
846 | } | 854 | } |
847 | #endif /* KSSL_DEBUG */ | 855 | #endif /* KSSL_DEBUG */ |
848 | 856 | ||
857 | ret = 1; | ||
858 | if (EVP_MD_CTX_md(s->read_hash) != NULL) | ||
859 | mac_size = EVP_MD_CTX_size(s->read_hash); | ||
849 | if ((bs != 1) && !send) | 860 | if ((bs != 1) && !send) |
850 | { | 861 | ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); |
851 | ii=i=rec->data[l-1]; /* padding_length */ | ||
852 | i++; | ||
853 | /* NB: if compression is in operation the first packet | ||
854 | * may not be of even length so the padding bug check | ||
855 | * cannot be performed. This bug workaround has been | ||
856 | * around since SSLeay so hopefully it is either fixed | ||
857 | * now or no buggy implementation supports compression | ||
858 | * [steve] | ||
859 | */ | ||
860 | if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) | ||
861 | && !s->expand) | ||
862 | { | ||
863 | /* First packet is even in size, so check */ | ||
864 | if ((memcmp(s->s3->read_sequence, | ||
865 | "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) | ||
866 | s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; | ||
867 | if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) | ||
868 | i--; | ||
869 | } | ||
870 | /* TLS 1.0 does not bound the number of padding bytes by the block size. | ||
871 | * All of them must have value 'padding_length'. */ | ||
872 | if (i > (int)rec->length) | ||
873 | { | ||
874 | /* Incorrect padding. SSLerr() and ssl3_alert are done | ||
875 | * by caller: we don't want to reveal whether this is | ||
876 | * a decryption error or a MAC verification failure | ||
877 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ | ||
878 | return -1; | ||
879 | } | ||
880 | for (j=(int)(l-i); j<(int)l; j++) | ||
881 | { | ||
882 | if (rec->data[j] != ii) | ||
883 | { | ||
884 | /* Incorrect padding */ | ||
885 | return -1; | ||
886 | } | ||
887 | } | ||
888 | rec->length -=i; | ||
889 | if (s->version >= TLS1_1_VERSION | ||
890 | && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) | ||
891 | { | ||
892 | if (bs > (int)rec->length) | ||
893 | return -1; | ||
894 | rec->data += bs; /* skip the explicit IV */ | ||
895 | rec->input += bs; | ||
896 | rec->length -= bs; | ||
897 | } | ||
898 | } | ||
899 | if (pad && !send) | 862 | if (pad && !send) |
900 | rec->length -= pad; | 863 | rec->length -= pad; |
901 | } | 864 | } |
902 | return(1); | 865 | return ret; |
903 | } | 866 | } |
867 | |||
904 | int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) | 868 | int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) |
905 | { | 869 | { |
906 | unsigned int ret; | 870 | unsigned int ret; |
@@ -956,18 +920,19 @@ int tls1_final_finish_mac(SSL *s, | |||
956 | if (mask & ssl_get_algorithm2(s)) | 920 | if (mask & ssl_get_algorithm2(s)) |
957 | { | 921 | { |
958 | int hashsize = EVP_MD_size(md); | 922 | int hashsize = EVP_MD_size(md); |
959 | if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) | 923 | EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; |
924 | if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) | ||
960 | { | 925 | { |
961 | /* internal error: 'buf' is too small for this cipersuite! */ | 926 | /* internal error: 'buf' is too small for this cipersuite! */ |
962 | err = 1; | 927 | err = 1; |
963 | } | 928 | } |
964 | else | 929 | else |
965 | { | 930 | { |
966 | EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); | 931 | if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || |
967 | EVP_DigestFinal_ex(&ctx,q,&i); | 932 | !EVP_DigestFinal_ex(&ctx,q,&i) || |
968 | if (i != (unsigned int)hashsize) /* can't really happen */ | 933 | (i != (unsigned int)hashsize)) |
969 | err = 1; | 934 | err = 1; |
970 | q+=i; | 935 | q+=hashsize; |
971 | } | 936 | } |
972 | } | 937 | } |
973 | } | 938 | } |
@@ -990,10 +955,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) | |||
990 | SSL3_RECORD *rec; | 955 | SSL3_RECORD *rec; |
991 | unsigned char *seq; | 956 | unsigned char *seq; |
992 | EVP_MD_CTX *hash; | 957 | EVP_MD_CTX *hash; |
993 | size_t md_size; | 958 | size_t md_size, orig_len; |
994 | int i; | 959 | int i; |
995 | EVP_MD_CTX hmac, *mac_ctx; | 960 | EVP_MD_CTX hmac, *mac_ctx; |
996 | unsigned char buf[5]; | 961 | unsigned char header[13]; |
997 | int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); | 962 | int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); |
998 | int t; | 963 | int t; |
999 | 964 | ||
@@ -1014,12 +979,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) | |||
1014 | OPENSSL_assert(t >= 0); | 979 | OPENSSL_assert(t >= 0); |
1015 | md_size=t; | 980 | md_size=t; |
1016 | 981 | ||
1017 | buf[0]=rec->type; | ||
1018 | buf[1]=(unsigned char)(ssl->version>>8); | ||
1019 | buf[2]=(unsigned char)(ssl->version); | ||
1020 | buf[3]=rec->length>>8; | ||
1021 | buf[4]=rec->length&0xff; | ||
1022 | |||
1023 | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ | 982 | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ |
1024 | if (stream_mac) | 983 | if (stream_mac) |
1025 | { | 984 | { |
@@ -1027,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) | |||
1027 | } | 986 | } |
1028 | else | 987 | else |
1029 | { | 988 | { |
1030 | EVP_MD_CTX_copy(&hmac,hash); | 989 | if (!EVP_MD_CTX_copy(&hmac,hash)) |
990 | return -1; | ||
1031 | mac_ctx = &hmac; | 991 | mac_ctx = &hmac; |
1032 | } | 992 | } |
1033 | 993 | ||
@@ -1038,17 +998,55 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) | |||
1038 | s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); | 998 | s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); |
1039 | memcpy (p,&seq[2],6); | 999 | memcpy (p,&seq[2],6); |
1040 | 1000 | ||
1041 | EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); | 1001 | memcpy(header, dtlsseq, 8); |
1042 | } | 1002 | } |
1043 | else | 1003 | else |
1044 | EVP_DigestSignUpdate(mac_ctx,seq,8); | 1004 | memcpy(header, seq, 8); |
1005 | |||
1006 | /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ | ||
1007 | orig_len = rec->length+md_size+((unsigned int)rec->type>>8); | ||
1008 | rec->type &= 0xff; | ||
1045 | 1009 | ||
1046 | EVP_DigestSignUpdate(mac_ctx,buf,5); | 1010 | header[8]=rec->type; |
1047 | EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); | 1011 | header[9]=(unsigned char)(ssl->version>>8); |
1048 | t=EVP_DigestSignFinal(mac_ctx,md,&md_size); | 1012 | header[10]=(unsigned char)(ssl->version); |
1049 | OPENSSL_assert(t > 0); | 1013 | header[11]=(rec->length)>>8; |
1014 | header[12]=(rec->length)&0xff; | ||
1015 | |||
1016 | if (!send && | ||
1017 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && | ||
1018 | ssl3_cbc_record_digest_supported(mac_ctx)) | ||
1019 | { | ||
1020 | /* This is a CBC-encrypted record. We must avoid leaking any | ||
1021 | * timing-side channel information about how many blocks of | ||
1022 | * data we are hashing because that gives an attacker a | ||
1023 | * timing-oracle. */ | ||
1024 | ssl3_cbc_digest_record( | ||
1025 | mac_ctx, | ||
1026 | md, &md_size, | ||
1027 | header, rec->input, | ||
1028 | rec->length + md_size, orig_len, | ||
1029 | ssl->s3->read_mac_secret, | ||
1030 | ssl->s3->read_mac_secret_size, | ||
1031 | 0 /* not SSLv3 */); | ||
1032 | } | ||
1033 | else | ||
1034 | { | ||
1035 | EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); | ||
1036 | EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); | ||
1037 | t=EVP_DigestSignFinal(mac_ctx,md,&md_size); | ||
1038 | OPENSSL_assert(t > 0); | ||
1039 | #ifdef OPENSSL_FIPS | ||
1040 | if (!send && FIPS_mode()) | ||
1041 | tls_fips_digest_extra( | ||
1042 | ssl->enc_read_ctx, | ||
1043 | mac_ctx, rec->input, | ||
1044 | rec->length, orig_len); | ||
1045 | #endif | ||
1046 | } | ||
1050 | 1047 | ||
1051 | if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); | 1048 | if (!stream_mac) |
1049 | EVP_MD_CTX_cleanup(&hmac); | ||
1052 | #ifdef TLS_DEBUG | 1050 | #ifdef TLS_DEBUG |
1053 | printf("sec="); | 1051 | printf("sec="); |
1054 | {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } | 1052 | {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 27c8e3460d..bddffd92cc 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = { | |||
342 | #ifndef OPENSSL_NO_SHA | 342 | #ifndef OPENSSL_NO_SHA |
343 | tlsext_sigalg(TLSEXT_hash_sha1) | 343 | tlsext_sigalg(TLSEXT_hash_sha1) |
344 | #endif | 344 | #endif |
345 | #ifndef OPENSSL_NO_MD5 | ||
346 | tlsext_sigalg_rsa(TLSEXT_hash_md5) | ||
347 | #endif | ||
348 | }; | 345 | }; |
349 | 346 | ||
350 | int tls12_get_req_sig_algs(SSL *s, unsigned char *p) | 347 | int tls12_get_req_sig_algs(SSL *s, unsigned char *p) |
351 | { | 348 | { |
352 | size_t slen = sizeof(tls12_sigalgs); | 349 | size_t slen = sizeof(tls12_sigalgs); |
353 | #ifdef OPENSSL_FIPS | ||
354 | /* If FIPS mode don't include MD5 which is last */ | ||
355 | if (FIPS_mode()) | ||
356 | slen -= 2; | ||
357 | #endif | ||
358 | if (p) | 350 | if (p) |
359 | memcpy(p, tls12_sigalgs, slen); | 351 | memcpy(p, tls12_sigalgs, slen); |
360 | return (int)slen; | 352 | return (int)slen; |
@@ -649,6 +641,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||
649 | } | 641 | } |
650 | #endif | 642 | #endif |
651 | 643 | ||
644 | #ifndef OPENSSL_NO_SRTP | ||
652 | if(SSL_get_srtp_profiles(s)) | 645 | if(SSL_get_srtp_profiles(s)) |
653 | { | 646 | { |
654 | int el; | 647 | int el; |
@@ -667,6 +660,37 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||
667 | } | 660 | } |
668 | ret += el; | 661 | ret += el; |
669 | } | 662 | } |
663 | #endif | ||
664 | |||
665 | #ifdef TLSEXT_TYPE_padding | ||
666 | /* Add padding to workaround bugs in F5 terminators. | ||
667 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 | ||
668 | * | ||
669 | * NB: because this code works out the length of all existing | ||
670 | * extensions it MUST always appear last. | ||
671 | */ | ||
672 | { | ||
673 | int hlen = ret - (unsigned char *)s->init_buf->data; | ||
674 | /* The code in s23_clnt.c to build ClientHello messages includes the | ||
675 | * 5-byte record header in the buffer, while the code in s3_clnt.c does | ||
676 | * not. */ | ||
677 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) | ||
678 | hlen -= 5; | ||
679 | if (hlen > 0xff && hlen < 0x200) | ||
680 | { | ||
681 | hlen = 0x200 - hlen; | ||
682 | if (hlen >= 4) | ||
683 | hlen -= 4; | ||
684 | else | ||
685 | hlen = 0; | ||
686 | |||
687 | s2n(TLSEXT_TYPE_padding, ret); | ||
688 | s2n(hlen, ret); | ||
689 | memset(ret, 0, hlen); | ||
690 | ret += hlen; | ||
691 | } | ||
692 | } | ||
693 | #endif | ||
670 | 694 | ||
671 | if ((extdatalen = ret-p-2)== 0) | 695 | if ((extdatalen = ret-p-2)== 0) |
672 | return p; | 696 | return p; |
@@ -781,6 +805,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||
781 | } | 805 | } |
782 | #endif | 806 | #endif |
783 | 807 | ||
808 | #ifndef OPENSSL_NO_SRTP | ||
784 | if(s->srtp_profile) | 809 | if(s->srtp_profile) |
785 | { | 810 | { |
786 | int el; | 811 | int el; |
@@ -799,6 +824,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||
799 | } | 824 | } |
800 | ret+=el; | 825 | ret+=el; |
801 | } | 826 | } |
827 | #endif | ||
802 | 828 | ||
803 | if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) | 829 | if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) |
804 | && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) | 830 | && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) |
@@ -862,6 +888,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha | |||
862 | return ret; | 888 | return ret; |
863 | } | 889 | } |
864 | 890 | ||
891 | #ifndef OPENSSL_NO_EC | ||
892 | /* ssl_check_for_safari attempts to fingerprint Safari using OS X | ||
893 | * SecureTransport using the TLS extension block in |d|, of length |n|. | ||
894 | * Safari, since 10.6, sends exactly these extensions, in this order: | ||
895 | * SNI, | ||
896 | * elliptic_curves | ||
897 | * ec_point_formats | ||
898 | * | ||
899 | * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, | ||
900 | * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. | ||
901 | * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from | ||
902 | * 10.8..10.8.3 (which don't work). | ||
903 | */ | ||
904 | static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { | ||
905 | unsigned short type, size; | ||
906 | static const unsigned char kSafariExtensionsBlock[] = { | ||
907 | 0x00, 0x0a, /* elliptic_curves extension */ | ||
908 | 0x00, 0x08, /* 8 bytes */ | ||
909 | 0x00, 0x06, /* 6 bytes of curve ids */ | ||
910 | 0x00, 0x17, /* P-256 */ | ||
911 | 0x00, 0x18, /* P-384 */ | ||
912 | 0x00, 0x19, /* P-521 */ | ||
913 | |||
914 | 0x00, 0x0b, /* ec_point_formats */ | ||
915 | 0x00, 0x02, /* 2 bytes */ | ||
916 | 0x01, /* 1 point format */ | ||
917 | 0x00, /* uncompressed */ | ||
918 | }; | ||
919 | |||
920 | /* The following is only present in TLS 1.2 */ | ||
921 | static const unsigned char kSafariTLS12ExtensionsBlock[] = { | ||
922 | 0x00, 0x0d, /* signature_algorithms */ | ||
923 | 0x00, 0x0c, /* 12 bytes */ | ||
924 | 0x00, 0x0a, /* 10 bytes */ | ||
925 | 0x05, 0x01, /* SHA-384/RSA */ | ||
926 | 0x04, 0x01, /* SHA-256/RSA */ | ||
927 | 0x02, 0x01, /* SHA-1/RSA */ | ||
928 | 0x04, 0x03, /* SHA-256/ECDSA */ | ||
929 | 0x02, 0x03, /* SHA-1/ECDSA */ | ||
930 | }; | ||
931 | |||
932 | if (data >= (d+n-2)) | ||
933 | return; | ||
934 | data += 2; | ||
935 | |||
936 | if (data > (d+n-4)) | ||
937 | return; | ||
938 | n2s(data,type); | ||
939 | n2s(data,size); | ||
940 | |||
941 | if (type != TLSEXT_TYPE_server_name) | ||
942 | return; | ||
943 | |||
944 | if (data+size > d+n) | ||
945 | return; | ||
946 | data += size; | ||
947 | |||
948 | if (TLS1_get_client_version(s) >= TLS1_2_VERSION) | ||
949 | { | ||
950 | const size_t len1 = sizeof(kSafariExtensionsBlock); | ||
951 | const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); | ||
952 | |||
953 | if (data + len1 + len2 != d+n) | ||
954 | return; | ||
955 | if (memcmp(data, kSafariExtensionsBlock, len1) != 0) | ||
956 | return; | ||
957 | if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) | ||
958 | return; | ||
959 | } | ||
960 | else | ||
961 | { | ||
962 | const size_t len = sizeof(kSafariExtensionsBlock); | ||
963 | |||
964 | if (data + len != d+n) | ||
965 | return; | ||
966 | if (memcmp(data, kSafariExtensionsBlock, len) != 0) | ||
967 | return; | ||
968 | } | ||
969 | |||
970 | s->s3->is_probably_safari = 1; | ||
971 | } | ||
972 | #endif /* !OPENSSL_NO_EC */ | ||
973 | |||
865 | int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) | 974 | int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) |
866 | { | 975 | { |
867 | unsigned short type; | 976 | unsigned short type; |
@@ -882,6 +991,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
882 | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); | 991 | SSL_TLSEXT_HB_DONT_SEND_REQUESTS); |
883 | #endif | 992 | #endif |
884 | 993 | ||
994 | #ifndef OPENSSL_NO_EC | ||
995 | if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) | ||
996 | ssl_check_for_safari(s, data, d, n); | ||
997 | #endif /* !OPENSSL_NO_EC */ | ||
998 | |||
885 | if (data >= (d+n-2)) | 999 | if (data >= (d+n-2)) |
886 | goto ri_check; | 1000 | goto ri_check; |
887 | n2s(data,len); | 1001 | n2s(data,len); |
@@ -1077,7 +1191,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1077 | int ellipticcurvelist_length = (*(sdata++) << 8); | 1191 | int ellipticcurvelist_length = (*(sdata++) << 8); |
1078 | ellipticcurvelist_length += (*(sdata++)); | 1192 | ellipticcurvelist_length += (*(sdata++)); |
1079 | 1193 | ||
1080 | if (ellipticcurvelist_length != size - 2) | 1194 | if (ellipticcurvelist_length != size - 2 || |
1195 | ellipticcurvelist_length < 1) | ||
1081 | { | 1196 | { |
1082 | *al = TLS1_AD_DECODE_ERROR; | 1197 | *al = TLS1_AD_DECODE_ERROR; |
1083 | return 0; | 1198 | return 0; |
@@ -1176,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1176 | } | 1291 | } |
1177 | } | 1292 | } |
1178 | else if (type == TLSEXT_TYPE_status_request && | 1293 | else if (type == TLSEXT_TYPE_status_request && |
1179 | s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) | 1294 | s->version != DTLS1_VERSION) |
1180 | { | 1295 | { |
1181 | 1296 | ||
1182 | if (size < 5) | 1297 | if (size < 5) |
@@ -1328,12 +1443,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1328 | #endif | 1443 | #endif |
1329 | 1444 | ||
1330 | /* session ticket processed earlier */ | 1445 | /* session ticket processed earlier */ |
1446 | #ifndef OPENSSL_NO_SRTP | ||
1331 | else if (type == TLSEXT_TYPE_use_srtp) | 1447 | else if (type == TLSEXT_TYPE_use_srtp) |
1332 | { | 1448 | { |
1333 | if(ssl_parse_clienthello_use_srtp_ext(s, data, size, | 1449 | if(ssl_parse_clienthello_use_srtp_ext(s, data, size, |
1334 | al)) | 1450 | al)) |
1335 | return 0; | 1451 | return 0; |
1336 | } | 1452 | } |
1453 | #endif | ||
1337 | 1454 | ||
1338 | data+=size; | 1455 | data+=size; |
1339 | } | 1456 | } |
@@ -1433,7 +1550,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1433 | unsigned char *sdata = data; | 1550 | unsigned char *sdata = data; |
1434 | int ecpointformatlist_length = *(sdata++); | 1551 | int ecpointformatlist_length = *(sdata++); |
1435 | 1552 | ||
1436 | if (ecpointformatlist_length != size - 1) | 1553 | if (ecpointformatlist_length != size - 1 || |
1554 | ecpointformatlist_length < 1) | ||
1437 | { | 1555 | { |
1438 | *al = TLS1_AD_DECODE_ERROR; | 1556 | *al = TLS1_AD_DECODE_ERROR; |
1439 | return 0; | 1557 | return 0; |
@@ -1527,7 +1645,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1527 | unsigned char selected_len; | 1645 | unsigned char selected_len; |
1528 | 1646 | ||
1529 | /* We must have requested it. */ | 1647 | /* We must have requested it. */ |
1530 | if ((s->ctx->next_proto_select_cb == NULL)) | 1648 | if (s->ctx->next_proto_select_cb == NULL) |
1531 | { | 1649 | { |
1532 | *al = TLS1_AD_UNSUPPORTED_EXTENSION; | 1650 | *al = TLS1_AD_UNSUPPORTED_EXTENSION; |
1533 | return 0; | 1651 | return 0; |
@@ -1577,12 +1695,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in | |||
1577 | } | 1695 | } |
1578 | } | 1696 | } |
1579 | #endif | 1697 | #endif |
1698 | #ifndef OPENSSL_NO_SRTP | ||
1580 | else if (type == TLSEXT_TYPE_use_srtp) | 1699 | else if (type == TLSEXT_TYPE_use_srtp) |
1581 | { | 1700 | { |
1582 | if(ssl_parse_serverhello_use_srtp_ext(s, data, size, | 1701 | if(ssl_parse_serverhello_use_srtp_ext(s, data, size, |
1583 | al)) | 1702 | al)) |
1584 | return 0; | 1703 | return 0; |
1585 | } | 1704 | } |
1705 | #endif | ||
1586 | 1706 | ||
1587 | data+=size; | 1707 | data+=size; |
1588 | } | 1708 | } |
@@ -1763,7 +1883,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s) | |||
1763 | return 1; | 1883 | return 1; |
1764 | } | 1884 | } |
1765 | 1885 | ||
1766 | int ssl_check_clienthello_tlsext(SSL *s) | 1886 | int ssl_check_clienthello_tlsext_early(SSL *s) |
1767 | { | 1887 | { |
1768 | int ret=SSL_TLSEXT_ERR_NOACK; | 1888 | int ret=SSL_TLSEXT_ERR_NOACK; |
1769 | int al = SSL_AD_UNRECOGNIZED_NAME; | 1889 | int al = SSL_AD_UNRECOGNIZED_NAME; |
@@ -1782,42 +1902,12 @@ int ssl_check_clienthello_tlsext(SSL *s) | |||
1782 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) | 1902 | else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) |
1783 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); | 1903 | ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); |
1784 | 1904 | ||
1785 | /* If status request then ask callback what to do. | ||
1786 | * Note: this must be called after servername callbacks in case | ||
1787 | * the certificate has changed. | ||
1788 | */ | ||
1789 | if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) | ||
1790 | { | ||
1791 | int r; | ||
1792 | r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | ||
1793 | switch (r) | ||
1794 | { | ||
1795 | /* We don't want to send a status request response */ | ||
1796 | case SSL_TLSEXT_ERR_NOACK: | ||
1797 | s->tlsext_status_expected = 0; | ||
1798 | break; | ||
1799 | /* status request response should be sent */ | ||
1800 | case SSL_TLSEXT_ERR_OK: | ||
1801 | if (s->tlsext_ocsp_resp) | ||
1802 | s->tlsext_status_expected = 1; | ||
1803 | else | ||
1804 | s->tlsext_status_expected = 0; | ||
1805 | break; | ||
1806 | /* something bad happened */ | ||
1807 | case SSL_TLSEXT_ERR_ALERT_FATAL: | ||
1808 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; | ||
1809 | al = SSL_AD_INTERNAL_ERROR; | ||
1810 | goto err; | ||
1811 | } | ||
1812 | } | ||
1813 | else | ||
1814 | s->tlsext_status_expected = 0; | ||
1815 | |||
1816 | #ifdef TLSEXT_TYPE_opaque_prf_input | 1905 | #ifdef TLSEXT_TYPE_opaque_prf_input |
1817 | { | 1906 | { |
1818 | /* This sort of belongs into ssl_prepare_serverhello_tlsext(), | 1907 | /* This sort of belongs into ssl_prepare_serverhello_tlsext(), |
1819 | * but we might be sending an alert in response to the client hello, | 1908 | * but we might be sending an alert in response to the client hello, |
1820 | * so this has to happen here in ssl_check_clienthello_tlsext(). */ | 1909 | * so this has to happen here in |
1910 | * ssl_check_clienthello_tlsext_early(). */ | ||
1821 | 1911 | ||
1822 | int r = 1; | 1912 | int r = 1; |
1823 | 1913 | ||
@@ -1869,8 +1959,8 @@ int ssl_check_clienthello_tlsext(SSL *s) | |||
1869 | } | 1959 | } |
1870 | } | 1960 | } |
1871 | 1961 | ||
1872 | #endif | ||
1873 | err: | 1962 | err: |
1963 | #endif | ||
1874 | switch (ret) | 1964 | switch (ret) |
1875 | { | 1965 | { |
1876 | case SSL_TLSEXT_ERR_ALERT_FATAL: | 1966 | case SSL_TLSEXT_ERR_ALERT_FATAL: |
@@ -1888,6 +1978,71 @@ int ssl_check_clienthello_tlsext(SSL *s) | |||
1888 | } | 1978 | } |
1889 | } | 1979 | } |
1890 | 1980 | ||
1981 | int ssl_check_clienthello_tlsext_late(SSL *s) | ||
1982 | { | ||
1983 | int ret = SSL_TLSEXT_ERR_OK; | ||
1984 | int al; | ||
1985 | |||
1986 | /* If status request then ask callback what to do. | ||
1987 | * Note: this must be called after servername callbacks in case | ||
1988 | * the certificate has changed, and must be called after the cipher | ||
1989 | * has been chosen because this may influence which certificate is sent | ||
1990 | */ | ||
1991 | if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) | ||
1992 | { | ||
1993 | int r; | ||
1994 | CERT_PKEY *certpkey; | ||
1995 | certpkey = ssl_get_server_send_pkey(s); | ||
1996 | /* If no certificate can't return certificate status */ | ||
1997 | if (certpkey == NULL) | ||
1998 | { | ||
1999 | s->tlsext_status_expected = 0; | ||
2000 | return 1; | ||
2001 | } | ||
2002 | /* Set current certificate to one we will use so | ||
2003 | * SSL_get_certificate et al can pick it up. | ||
2004 | */ | ||
2005 | s->cert->key = certpkey; | ||
2006 | r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); | ||
2007 | switch (r) | ||
2008 | { | ||
2009 | /* We don't want to send a status request response */ | ||
2010 | case SSL_TLSEXT_ERR_NOACK: | ||
2011 | s->tlsext_status_expected = 0; | ||
2012 | break; | ||
2013 | /* status request response should be sent */ | ||
2014 | case SSL_TLSEXT_ERR_OK: | ||
2015 | if (s->tlsext_ocsp_resp) | ||
2016 | s->tlsext_status_expected = 1; | ||
2017 | else | ||
2018 | s->tlsext_status_expected = 0; | ||
2019 | break; | ||
2020 | /* something bad happened */ | ||
2021 | case SSL_TLSEXT_ERR_ALERT_FATAL: | ||
2022 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; | ||
2023 | al = SSL_AD_INTERNAL_ERROR; | ||
2024 | goto err; | ||
2025 | } | ||
2026 | } | ||
2027 | else | ||
2028 | s->tlsext_status_expected = 0; | ||
2029 | |||
2030 | err: | ||
2031 | switch (ret) | ||
2032 | { | ||
2033 | case SSL_TLSEXT_ERR_ALERT_FATAL: | ||
2034 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | ||
2035 | return -1; | ||
2036 | |||
2037 | case SSL_TLSEXT_ERR_ALERT_WARNING: | ||
2038 | ssl3_send_alert(s,SSL3_AL_WARNING,al); | ||
2039 | return 1; | ||
2040 | |||
2041 | default: | ||
2042 | return 1; | ||
2043 | } | ||
2044 | } | ||
2045 | |||
1891 | int ssl_check_serverhello_tlsext(SSL *s) | 2046 | int ssl_check_serverhello_tlsext(SSL *s) |
1892 | { | 2047 | { |
1893 | int ret=SSL_TLSEXT_ERR_NOACK; | 2048 | int ret=SSL_TLSEXT_ERR_NOACK; |
@@ -2189,7 +2344,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, | |||
2189 | HMAC_Update(&hctx, etick, eticklen); | 2344 | HMAC_Update(&hctx, etick, eticklen); |
2190 | HMAC_Final(&hctx, tick_hmac, NULL); | 2345 | HMAC_Final(&hctx, tick_hmac, NULL); |
2191 | HMAC_CTX_cleanup(&hctx); | 2346 | HMAC_CTX_cleanup(&hctx); |
2192 | if (memcmp(tick_hmac, etick + eticklen, mlen)) | 2347 | if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) |
2193 | return 2; | 2348 | return 2; |
2194 | /* Attempt to decrypt session data */ | 2349 | /* Attempt to decrypt session data */ |
2195 | /* Move p after IV to start of encrypted ticket, update length */ | 2350 | /* Move p after IV to start of encrypted ticket, update length */ |
@@ -2319,14 +2474,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) | |||
2319 | { | 2474 | { |
2320 | switch(hash_alg) | 2475 | switch(hash_alg) |
2321 | { | 2476 | { |
2322 | #ifndef OPENSSL_NO_MD5 | ||
2323 | case TLSEXT_hash_md5: | ||
2324 | #ifdef OPENSSL_FIPS | ||
2325 | if (FIPS_mode()) | ||
2326 | return NULL; | ||
2327 | #endif | ||
2328 | return EVP_md5(); | ||
2329 | #endif | ||
2330 | #ifndef OPENSSL_NO_SHA | 2477 | #ifndef OPENSSL_NO_SHA |
2331 | case TLSEXT_hash_sha1: | 2478 | case TLSEXT_hash_sha1: |
2332 | return EVP_sha1(); | 2479 | return EVP_sha1(); |
@@ -2414,7 +2561,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) | |||
2414 | */ | 2561 | */ |
2415 | #ifndef OPENSSL_NO_DSA | 2562 | #ifndef OPENSSL_NO_DSA |
2416 | if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) | 2563 | if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) |
2417 | c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); | 2564 | c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); |
2418 | #endif | 2565 | #endif |
2419 | #ifndef OPENSSL_NO_RSA | 2566 | #ifndef OPENSSL_NO_RSA |
2420 | if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) | 2567 | if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) |
@@ -2425,7 +2572,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) | |||
2425 | #endif | 2572 | #endif |
2426 | #ifndef OPENSSL_NO_ECDSA | 2573 | #ifndef OPENSSL_NO_ECDSA |
2427 | if (!c->pkeys[SSL_PKEY_ECC].digest) | 2574 | if (!c->pkeys[SSL_PKEY_ECC].digest) |
2428 | c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); | 2575 | c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); |
2429 | #endif | 2576 | #endif |
2430 | return 1; | 2577 | return 1; |
2431 | } | 2578 | } |
@@ -2441,16 +2588,20 @@ tls1_process_heartbeat(SSL *s) | |||
2441 | unsigned int payload; | 2588 | unsigned int payload; |
2442 | unsigned int padding = 16; /* Use minimum padding */ | 2589 | unsigned int padding = 16; /* Use minimum padding */ |
2443 | 2590 | ||
2444 | /* Read type and payload length first */ | ||
2445 | hbtype = *p++; | ||
2446 | n2s(p, payload); | ||
2447 | pl = p; | ||
2448 | |||
2449 | if (s->msg_callback) | 2591 | if (s->msg_callback) |
2450 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, | 2592 | s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, |
2451 | &s->s3->rrec.data[0], s->s3->rrec.length, | 2593 | &s->s3->rrec.data[0], s->s3->rrec.length, |
2452 | s, s->msg_callback_arg); | 2594 | s, s->msg_callback_arg); |
2453 | 2595 | ||
2596 | /* Read type and payload length first */ | ||
2597 | if (1 + 2 + 16 > s->s3->rrec.length) | ||
2598 | return 0; /* silently discard */ | ||
2599 | hbtype = *p++; | ||
2600 | n2s(p, payload); | ||
2601 | if (1 + 2 + payload + 16 > s->s3->rrec.length) | ||
2602 | return 0; /* silently discard per RFC 6520 sec. 4 */ | ||
2603 | pl = p; | ||
2604 | |||
2454 | if (hbtype == TLS1_HB_REQUEST) | 2605 | if (hbtype == TLS1_HB_REQUEST) |
2455 | { | 2606 | { |
2456 | unsigned char *buffer, *bp; | 2607 | unsigned char *buffer, *bp; |
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl index c938bcf00d..dfef799be2 100644 --- a/src/lib/libssl/test/cms-test.pl +++ b/src/lib/libssl/test/cms-test.pl | |||
@@ -415,8 +415,10 @@ sub run_smime_tests { | |||
415 | } | 415 | } |
416 | 416 | ||
417 | sub cmp_files { | 417 | sub cmp_files { |
418 | use FileHandle; | ||
418 | my ( $f1, $f2 ) = @_; | 419 | my ( $f1, $f2 ) = @_; |
419 | my ( $fp1, $fp2 ); | 420 | my $fp1 = FileHandle->new(); |
421 | my $fp2 = FileHandle->new(); | ||
420 | 422 | ||
421 | my ( $rd1, $rd2 ); | 423 | my ( $rd1, $rd2 ); |
422 | 424 | ||
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl index 5ae4dc8720..4e8542b556 100644 --- a/src/lib/libssl/test/testssl +++ b/src/lib/libssl/test/testssl | |||
@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1 | |||
119 | echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify | 119 | echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify |
120 | $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 | 120 | $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 |
121 | 121 | ||
122 | echo "Testing ciphersuites" | ||
123 | for protocol in TLSv1.2 SSLv3; do | ||
124 | echo "Testing ciphersuites for $protocol" | ||
125 | for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do | ||
126 | echo "Testing $cipher" | ||
127 | prot="" | ||
128 | if [ $protocol = "SSLv3" ] ; then | ||
129 | prot="-ssl3" | ||
130 | fi | ||
131 | $ssltest -cipher $cipher $prot | ||
132 | if [ $? -ne 0 ] ; then | ||
133 | echo "Failed $cipher" | ||
134 | exit 1 | ||
135 | fi | ||
136 | done | ||
137 | done | ||
138 | |||
122 | ############################################################################# | 139 | ############################################################################# |
123 | 140 | ||
124 | if ../util/shlib_wrap.sh ../apps/openssl no-dh; then | 141 | if ../util/shlib_wrap.sh ../apps/openssl no-dh; then |
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h index c39c267f0b..c992091e30 100644 --- a/src/lib/libssl/tls1.h +++ b/src/lib/libssl/tls1.h | |||
@@ -230,6 +230,12 @@ extern "C" { | |||
230 | /* ExtensionType value from RFC5620 */ | 230 | /* ExtensionType value from RFC5620 */ |
231 | #define TLSEXT_TYPE_heartbeat 15 | 231 | #define TLSEXT_TYPE_heartbeat 15 |
232 | 232 | ||
233 | /* ExtensionType value for TLS padding extension. | ||
234 | * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml | ||
235 | * http://tools.ietf.org/html/draft-agl-tls-padding-03 | ||
236 | */ | ||
237 | #define TLSEXT_TYPE_padding 21 | ||
238 | |||
233 | /* ExtensionType value from RFC4507 */ | 239 | /* ExtensionType value from RFC4507 */ |
234 | #define TLSEXT_TYPE_session_ticket 35 | 240 | #define TLSEXT_TYPE_session_ticket 35 |
235 | 241 | ||