summaryrefslogtreecommitdiff
path: root/src/lib/libssl
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl')
-rw-r--r--src/lib/libssl/d1_both.c39
-rw-r--r--src/lib/libssl/d1_clnt.c36
-rw-r--r--src/lib/libssl/d1_enc.c59
-rw-r--r--src/lib/libssl/d1_lib.c1
-rw-r--r--src/lib/libssl/d1_pkt.c98
-rw-r--r--src/lib/libssl/d1_srtp.c5
-rw-r--r--src/lib/libssl/d1_srvr.c29
-rw-r--r--src/lib/libssl/dtls1.h8
-rw-r--r--src/lib/libssl/s23_clnt.c29
-rw-r--r--src/lib/libssl/s3_both.c22
-rw-r--r--src/lib/libssl/s3_clnt.c11
-rw-r--r--src/lib/libssl/s3_lib.c36
-rw-r--r--src/lib/libssl/s3_pkt.c111
-rw-r--r--src/lib/libssl/s3_srvr.c39
-rw-r--r--src/lib/libssl/ssl.h21
-rw-r--r--src/lib/libssl/ssl3.h15
-rw-r--r--src/lib/libssl/ssl_algs.c1
-rw-r--r--src/lib/libssl/ssl_cert.c4
-rw-r--r--src/lib/libssl/ssl_ciph.c5
-rw-r--r--src/lib/libssl/ssl_err.c1
-rw-r--r--src/lib/libssl/ssl_lib.c26
-rw-r--r--src/lib/libssl/ssl_locl.h47
-rw-r--r--src/lib/libssl/ssl_rsa.c14
-rw-r--r--src/lib/libssl/t1_enc.c190
-rw-r--r--src/lib/libssl/t1_lib.c283
-rw-r--r--src/lib/libssl/test/cms-test.pl4
-rw-r--r--src/lib/libssl/test/testssl17
-rw-r--r--src/lib/libssl/tls1.h6
28 files changed, 762 insertions, 395 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index de8bab873f..2e8cf681ed 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
214static void 214static void
215dtls1_hm_fragment_free(hm_fragment *frag) 215dtls1_hm_fragment_free(hm_fragment *frag)
216 { 216 {
217
218 if (frag->msg_header.is_ccs)
219 {
220 EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
221 EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
222 }
217 if (frag->fragment) OPENSSL_free(frag->fragment); 223 if (frag->fragment) OPENSSL_free(frag->fragment);
218 if (frag->reassembly) OPENSSL_free(frag->reassembly); 224 if (frag->reassembly) OPENSSL_free(frag->reassembly);
219 OPENSSL_free(frag); 225 OPENSSL_free(frag);
@@ -313,9 +319,10 @@ int dtls1_do_write(SSL *s, int type)
313 s->init_off -= DTLS1_HM_HEADER_LENGTH; 319 s->init_off -= DTLS1_HM_HEADER_LENGTH;
314 s->init_num += DTLS1_HM_HEADER_LENGTH; 320 s->init_num += DTLS1_HM_HEADER_LENGTH;
315 321
316 /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ 322 if ( s->init_num > curr_mtu)
317 if ( len <= DTLS1_HM_HEADER_LENGTH) 323 len = curr_mtu;
318 len += DTLS1_HM_HEADER_LENGTH; 324 else
325 len = s->init_num;
319 } 326 }
320 327
321 dtls1_fix_message_header(s, frag_off, 328 dtls1_fix_message_header(s, frag_off,
@@ -1452,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
1452 unsigned int payload; 1459 unsigned int payload;
1453 unsigned int padding = 16; /* Use minimum padding */ 1460 unsigned int padding = 16; /* Use minimum padding */
1454 1461
1455 /* Read type and payload length first */
1456 hbtype = *p++;
1457 n2s(p, payload);
1458 pl = p;
1459
1460 if (s->msg_callback) 1462 if (s->msg_callback)
1461 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 1463 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1462 &s->s3->rrec.data[0], s->s3->rrec.length, 1464 &s->s3->rrec.data[0], s->s3->rrec.length,
1463 s, s->msg_callback_arg); 1465 s, s->msg_callback_arg);
1464 1466
1467 /* Read type and payload length first */
1468 if (1 + 2 + 16 > s->s3->rrec.length)
1469 return 0; /* silently discard */
1470 hbtype = *p++;
1471 n2s(p, payload);
1472 if (1 + 2 + payload + 16 > s->s3->rrec.length)
1473 return 0; /* silently discard per RFC 6520 sec. 4 */
1474 pl = p;
1475
1465 if (hbtype == TLS1_HB_REQUEST) 1476 if (hbtype == TLS1_HB_REQUEST)
1466 { 1477 {
1467 unsigned char *buffer, *bp; 1478 unsigned char *buffer, *bp;
1479 unsigned int write_length = 1 /* heartbeat type */ +
1480 2 /* heartbeat length */ +
1481 payload + padding;
1468 int r; 1482 int r;
1469 1483
1484 if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
1485 return 0;
1486
1470 /* Allocate memory for the response, size is 1 byte 1487 /* Allocate memory for the response, size is 1 byte
1471 * message type, plus 2 bytes payload length, plus 1488 * message type, plus 2 bytes payload length, plus
1472 * payload, plus padding 1489 * payload, plus padding
1473 */ 1490 */
1474 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 1491 buffer = OPENSSL_malloc(write_length);
1475 bp = buffer; 1492 bp = buffer;
1476 1493
1477 /* Enter response type, length and copy payload */ 1494 /* Enter response type, length and copy payload */
@@ -1482,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
1482 /* Random padding */ 1499 /* Random padding */
1483 RAND_pseudo_bytes(bp, padding); 1500 RAND_pseudo_bytes(bp, padding);
1484 1501
1485 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 1502 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
1486 1503
1487 if (r >= 0 && s->msg_callback) 1504 if (r >= 0 && s->msg_callback)
1488 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 1505 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1489 buffer, 3 + payload + padding, 1506 buffer, write_length,
1490 s, s->msg_callback_arg); 1507 s, s->msg_callback_arg);
1491 1508
1492 OPENSSL_free(buffer); 1509 OPENSSL_free(buffer);
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index a6ed09c51d..48e5e06bde 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -538,13 +538,6 @@ int dtls1_connect(SSL *s)
538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
539 if (ret <= 0) goto end; 539 if (ret <= 0) goto end;
540 540
541#ifndef OPENSSL_NO_SCTP
542 /* Change to new shared key of SCTP-Auth,
543 * will be ignored if no SCTP used.
544 */
545 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
546#endif
547
548 s->state=SSL3_ST_CW_FINISHED_A; 541 s->state=SSL3_ST_CW_FINISHED_A;
549 s->init_num=0; 542 s->init_num=0;
550 543
@@ -571,6 +564,16 @@ int dtls1_connect(SSL *s)
571 goto end; 564 goto end;
572 } 565 }
573 566
567#ifndef OPENSSL_NO_SCTP
568 if (s->hit)
569 {
570 /* Change to new shared key of SCTP-Auth,
571 * will be ignored if no SCTP used.
572 */
573 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
574 }
575#endif
576
574 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 577 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
575 break; 578 break;
576 579
@@ -613,6 +616,13 @@ int dtls1_connect(SSL *s)
613 } 616 }
614 else 617 else
615 { 618 {
619#ifndef OPENSSL_NO_SCTP
620 /* Change to new shared key of SCTP-Auth,
621 * will be ignored if no SCTP used.
622 */
623 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
624#endif
625
616#ifndef OPENSSL_NO_TLSEXT 626#ifndef OPENSSL_NO_TLSEXT
617 /* Allow NewSessionTicket if ticket expected */ 627 /* Allow NewSessionTicket if ticket expected */
618 if (s->tlsext_ticket_expected) 628 if (s->tlsext_ticket_expected)
@@ -773,7 +783,7 @@ int dtls1_client_hello(SSL *s)
773 unsigned char *buf; 783 unsigned char *buf;
774 unsigned char *p,*d; 784 unsigned char *p,*d;
775 unsigned int i,j; 785 unsigned int i,j;
776 unsigned long Time,l; 786 unsigned long l;
777 SSL_COMP *comp; 787 SSL_COMP *comp;
778 788
779 buf=(unsigned char *)s->init_buf->data; 789 buf=(unsigned char *)s->init_buf->data;
@@ -798,13 +808,11 @@ int dtls1_client_hello(SSL *s)
798 808
799 /* if client_random is initialized, reuse it, we are 809 /* if client_random is initialized, reuse it, we are
800 * required to use same upon reply to HelloVerify */ 810 * required to use same upon reply to HelloVerify */
801 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; 811 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++)
812 ;
802 if (i==sizeof(s->s3->client_random)) 813 if (i==sizeof(s->s3->client_random))
803 { 814 ssl_fill_hello_random(s, 0, p,
804 Time=(unsigned long)time(NULL); /* Time */ 815 sizeof(s->s3->client_random));
805 l2n(Time,p);
806 RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
807 }
808 816
809 /* Do the message type and length last */ 817 /* Do the message type and length last */
810 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 818 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index 07a5e97ce5..712c4647f2 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -126,20 +126,28 @@
126#include <openssl/des.h> 126#include <openssl/des.h>
127#endif 127#endif
128 128
129/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
130 *
131 * Returns:
132 * 0: (in non-constant time) if the record is publically invalid (i.e. too
133 * short etc).
134 * 1: if the record's padding is valid / the encryption was successful.
135 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
136 * an internal error occured. */
129int dtls1_enc(SSL *s, int send) 137int dtls1_enc(SSL *s, int send)
130 { 138 {
131 SSL3_RECORD *rec; 139 SSL3_RECORD *rec;
132 EVP_CIPHER_CTX *ds; 140 EVP_CIPHER_CTX *ds;
133 unsigned long l; 141 unsigned long l;
134 int bs,i,ii,j,k,n=0; 142 int bs,i,j,k,mac_size=0;
135 const EVP_CIPHER *enc; 143 const EVP_CIPHER *enc;
136 144
137 if (send) 145 if (send)
138 { 146 {
139 if (EVP_MD_CTX_md(s->write_hash)) 147 if (EVP_MD_CTX_md(s->write_hash))
140 { 148 {
141 n=EVP_MD_CTX_size(s->write_hash); 149 mac_size=EVP_MD_CTX_size(s->write_hash);
142 if (n < 0) 150 if (mac_size < 0)
143 return -1; 151 return -1;
144 } 152 }
145 ds=s->enc_write_ctx; 153 ds=s->enc_write_ctx;
@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send)
164 { 172 {
165 if (EVP_MD_CTX_md(s->read_hash)) 173 if (EVP_MD_CTX_md(s->read_hash))
166 { 174 {
167 n=EVP_MD_CTX_size(s->read_hash); 175 mac_size=EVP_MD_CTX_size(s->read_hash);
168 if (n < 0) 176 OPENSSL_assert(mac_size >= 0);
169 return -1;
170 } 177 }
171 ds=s->enc_read_ctx; 178 ds=s->enc_read_ctx;
172 rec= &(s->s3->rrec); 179 rec= &(s->s3->rrec);
@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send)
231 if (!send) 238 if (!send)
232 { 239 {
233 if (l == 0 || l%bs != 0) 240 if (l == 0 || l%bs != 0)
234 return -1; 241 return 0;
235 } 242 }
236 243
237 EVP_Cipher(ds,rec->data,rec->input,l); 244 EVP_Cipher(ds,rec->data,rec->input,l);
@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send)
246#endif /* KSSL_DEBUG */ 253#endif /* KSSL_DEBUG */
247 254
248 if ((bs != 1) && !send) 255 if ((bs != 1) && !send)
249 { 256 return tls1_cbc_remove_padding(s, rec, bs, mac_size);
250 ii=i=rec->data[l-1]; /* padding_length */
251 i++;
252 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
253 {
254 /* First packet is even in size, so check */
255 if ((memcmp(s->s3->read_sequence,
256 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
257 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
258 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
259 i--;
260 }
261 /* TLS 1.0 does not bound the number of padding bytes by the block size.
262 * All of them must have value 'padding_length'. */
263 if (i + bs > (int)rec->length)
264 {
265 /* Incorrect padding. SSLerr() and ssl3_alert are done
266 * by caller: we don't want to reveal whether this is
267 * a decryption error or a MAC verification failure
268 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
269 */
270 return -1;
271 }
272 for (j=(int)(l-i); j<(int)l; j++)
273 {
274 if (rec->data[j] != ii)
275 {
276 /* Incorrect padding */
277 return -1;
278 }
279 }
280 rec->length-=i;
281
282 rec->data += bs; /* skip the implicit IV */
283 rec->input += bs;
284 rec->length -= bs;
285 }
286 } 257 }
287 return(1); 258 return(1);
288 } 259 }
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index f61f718183..106939f241 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
196 pqueue_free(s->d1->buffered_app_data.q); 196 pqueue_free(s->d1->buffered_app_data.q);
197 197
198 OPENSSL_free(s->d1); 198 OPENSSL_free(s->d1);
199 s->d1 = NULL;
199 } 200 }
200 201
201void dtls1_clear(SSL *s) 202void dtls1_clear(SSL *s)
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 987af60835..8186462d4a 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -376,15 +376,11 @@ static int
376dtls1_process_record(SSL *s) 376dtls1_process_record(SSL *s)
377{ 377{
378 int i,al; 378 int i,al;
379 int clear=0;
380 int enc_err; 379 int enc_err;
381 SSL_SESSION *sess; 380 SSL_SESSION *sess;
382 SSL3_RECORD *rr; 381 SSL3_RECORD *rr;
383 unsigned int mac_size; 382 unsigned int mac_size, orig_len;
384 unsigned char md[EVP_MAX_MD_SIZE]; 383 unsigned char md[EVP_MAX_MD_SIZE];
385 int decryption_failed_or_bad_record_mac = 0;
386 unsigned char *mac = NULL;
387
388 384
389 rr= &(s->s3->rrec); 385 rr= &(s->s3->rrec);
390 sess = s->session; 386 sess = s->session;
@@ -416,12 +412,16 @@ dtls1_process_record(SSL *s)
416 rr->data=rr->input; 412 rr->data=rr->input;
417 413
418 enc_err = s->method->ssl3_enc->enc(s,0); 414 enc_err = s->method->ssl3_enc->enc(s,0);
419 if (enc_err <= 0) 415 /* enc_err is:
416 * 0: (in non-constant time) if the record is publically invalid.
417 * 1: if the padding is valid
418 * -1: if the padding is invalid */
419 if (enc_err == 0)
420 { 420 {
421 /* To minimize information leaked via timing, we will always 421 /* For DTLS we simply ignore bad packets. */
422 * perform all computations before discarding the message. 422 rr->length = 0;
423 */ 423 s->packet_length = 0;
424 decryption_failed_or_bad_record_mac = 1; 424 goto err;
425 } 425 }
426 426
427#ifdef TLS_DEBUG 427#ifdef TLS_DEBUG
@@ -431,45 +431,62 @@ printf("\n");
431#endif 431#endif
432 432
433 /* r->length is now the compressed data plus mac */ 433 /* r->length is now the compressed data plus mac */
434 if ( (sess == NULL) || 434 if ((sess != NULL) &&
435 (s->enc_read_ctx == NULL) || 435 (s->enc_read_ctx != NULL) &&
436 (s->read_hash == NULL)) 436 (EVP_MD_CTX_md(s->read_hash) != NULL))
437 clear=1;
438
439 if (!clear)
440 { 437 {
441 /* !clear => s->read_hash != NULL => mac_size != -1 */ 438 /* s->read_hash != NULL => mac_size != -1 */
442 int t; 439 unsigned char *mac = NULL;
443 t=EVP_MD_CTX_size(s->read_hash); 440 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
444 OPENSSL_assert(t >= 0); 441 mac_size=EVP_MD_CTX_size(s->read_hash);
445 mac_size=t; 442 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
446 443
447 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 444 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
445 orig_len = rr->length+((unsigned int)rr->type>>8);
446
447 /* orig_len is the length of the record before any padding was
448 * removed. This is public information, as is the MAC in use,
449 * therefore we can safely process the record in a different
450 * amount of time if it's too short to possibly contain a MAC.
451 */
452 if (orig_len < mac_size ||
453 /* CBC records must have a padding length byte too. */
454 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
455 orig_len < mac_size+1))
448 { 456 {
449#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 457 al=SSL_AD_DECODE_ERROR;
450 al=SSL_AD_RECORD_OVERFLOW; 458 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
451 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
452 goto f_err; 459 goto f_err;
453#else
454 decryption_failed_or_bad_record_mac = 1;
455#endif
456 } 460 }
457 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 461
458 if (rr->length >= mac_size) 462 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
459 { 463 {
464 /* We update the length so that the TLS header bytes
465 * can be constructed correctly but we need to extract
466 * the MAC in constant time from within the record,
467 * without leaking the contents of the padding bytes.
468 * */
469 mac = mac_tmp;
470 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
460 rr->length -= mac_size; 471 rr->length -= mac_size;
461 mac = &rr->data[rr->length];
462 } 472 }
463 else 473 else
464 rr->length = 0;
465 i=s->method->ssl3_enc->mac(s,md,0);
466 if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
467 { 474 {
468 decryption_failed_or_bad_record_mac = 1; 475 /* In this case there's no padding, so |orig_len|
476 * equals |rec->length| and we checked that there's
477 * enough bytes for |mac_size| above. */
478 rr->length -= mac_size;
479 mac = &rr->data[rr->length];
469 } 480 }
481
482 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
483 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
484 enc_err = -1;
485 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
486 enc_err = -1;
470 } 487 }
471 488
472 if (decryption_failed_or_bad_record_mac) 489 if (enc_err < 0)
473 { 490 {
474 /* decryption failed, silently discard message */ 491 /* decryption failed, silently discard message */
475 rr->length = 0; 492 rr->length = 0;
@@ -830,6 +847,12 @@ start:
830 } 847 }
831 } 848 }
832 849
850 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
851 {
852 rr->length = 0;
853 goto start;
854 }
855
833 /* we now have a packet which can be read and processed */ 856 /* we now have a packet which can be read and processed */
834 857
835 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 858 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1034,6 +1057,7 @@ start:
1034 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1057 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1035 !s->s3->renegotiate) 1058 !s->s3->renegotiate)
1036 { 1059 {
1060 s->d1->handshake_read_seq++;
1037 s->new_session = 1; 1061 s->new_session = 1;
1038 ssl3_renegotiate(s); 1062 ssl3_renegotiate(s);
1039 if (ssl3_renegotiate_check(s)) 1063 if (ssl3_renegotiate_check(s))
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 928935bd8b..ab9c41922c 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -115,11 +115,12 @@
115 Copyright (C) 2011, RTFM, Inc. 115 Copyright (C) 2011, RTFM, Inc.
116*/ 116*/
117 117
118#ifndef OPENSSL_NO_SRTP
119
120#include <stdio.h> 118#include <stdio.h>
121#include <openssl/objects.h> 119#include <openssl/objects.h>
122#include "ssl_locl.h" 120#include "ssl_locl.h"
121
122#ifndef OPENSSL_NO_SRTP
123
123#include "srtp.h" 124#include "srtp.h"
124 125
125 126
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 29421da9aa..9975e20873 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
276 case SSL3_ST_SW_HELLO_REQ_B: 276 case SSL3_ST_SW_HELLO_REQ_B:
277 277
278 s->shutdown=0; 278 s->shutdown=0;
279 dtls1_clear_record_buffer(s);
279 dtls1_start_timer(s); 280 dtls1_start_timer(s);
280 ret=dtls1_send_hello_request(s); 281 ret=dtls1_send_hello_request(s);
281 if (ret <= 0) goto end; 282 if (ret <= 0) goto end;
282 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 283 s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
283 s->state=SSL3_ST_SW_FLUSH; 284 s->state=SSL3_ST_SW_FLUSH;
284 s->init_num=0; 285 s->init_num=0;
285 286
@@ -721,10 +722,13 @@ int dtls1_accept(SSL *s)
721 if (ret <= 0) goto end; 722 if (ret <= 0) goto end;
722 723
723#ifndef OPENSSL_NO_SCTP 724#ifndef OPENSSL_NO_SCTP
724 /* Change to new shared key of SCTP-Auth, 725 if (!s->hit)
725 * will be ignored if no SCTP used. 726 {
726 */ 727 /* Change to new shared key of SCTP-Auth,
727 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); 728 * will be ignored if no SCTP used.
729 */
730 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
731 }
728#endif 732#endif
729 733
730 s->state=SSL3_ST_SW_FINISHED_A; 734 s->state=SSL3_ST_SW_FINISHED_A;
@@ -749,7 +753,16 @@ int dtls1_accept(SSL *s)
749 if (ret <= 0) goto end; 753 if (ret <= 0) goto end;
750 s->state=SSL3_ST_SW_FLUSH; 754 s->state=SSL3_ST_SW_FLUSH;
751 if (s->hit) 755 if (s->hit)
756 {
752 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 757 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
758
759#ifndef OPENSSL_NO_SCTP
760 /* Change to new shared key of SCTP-Auth,
761 * will be ignored if no SCTP used.
762 */
763 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
764#endif
765 }
753 else 766 else
754 { 767 {
755 s->s3->tmp.next_state=SSL_ST_OK; 768 s->s3->tmp.next_state=SSL_ST_OK;
@@ -912,15 +925,13 @@ int dtls1_send_server_hello(SSL *s)
912 unsigned char *p,*d; 925 unsigned char *p,*d;
913 int i; 926 int i;
914 unsigned int sl; 927 unsigned int sl;
915 unsigned long l,Time; 928 unsigned long l;
916 929
917 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 930 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
918 { 931 {
919 buf=(unsigned char *)s->init_buf->data; 932 buf=(unsigned char *)s->init_buf->data;
920 p=s->s3->server_random; 933 p=s->s3->server_random;
921 Time=(unsigned long)time(NULL); /* Time */ 934 ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
922 l2n(Time,p);
923 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
924 /* Do the message type and length last */ 935 /* Do the message type and length last */
925 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 936 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
926 937
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 5008bf6081..e65d501191 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -57,8 +57,8 @@
57 * 57 *
58 */ 58 */
59 59
60#ifndef HEADER_DTLS1_H 60#ifndef HEADER_DTLS1_H
61#define HEADER_DTLS1_H 61#define HEADER_DTLS1_H
62 62
63#include <openssl/buffer.h> 63#include <openssl/buffer.h>
64#include <openssl/pqueue.h> 64#include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
72#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) 72#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
73#include <sys/timeval.h> 73#include <sys/timeval.h>
74#else 74#else
75#if defined(OPENSSL_SYS_VXWORKS)
76#include <sys/times.h>
77#else
75#include <sys/time.h> 78#include <sys/time.h>
76#endif 79#endif
80#endif
77 81
78#ifdef __cplusplus 82#ifdef __cplusplus
79extern "C" { 83extern "C" {
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 47673e740a..2b93c639dd 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -269,12 +269,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
269 return 1; 269 return 1;
270 } 270 }
271 271
272/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
273 * on failure, 1 on success. */
274int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
275 {
276 int send_time = 0;
277
278 if (len < 4)
279 return 0;
280 if (server)
281 send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
282 else
283 send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
284 if (send_time)
285 {
286 unsigned long Time = (unsigned long)time(NULL);
287 unsigned char *p = result;
288 l2n(Time, p);
289 return RAND_pseudo_bytes(p, len-4);
290 }
291 else
292 return RAND_pseudo_bytes(result, len);
293 }
294
272static int ssl23_client_hello(SSL *s) 295static int ssl23_client_hello(SSL *s)
273 { 296 {
274 unsigned char *buf; 297 unsigned char *buf;
275 unsigned char *p,*d; 298 unsigned char *p,*d;
276 int i,ch_len; 299 int i,ch_len;
277 unsigned long Time,l; 300 unsigned long l;
278 int ssl2_compat; 301 int ssl2_compat;
279 int version = 0, version_major, version_minor; 302 int version = 0, version_major, version_minor;
280#ifndef OPENSSL_NO_COMP 303#ifndef OPENSSL_NO_COMP
@@ -355,9 +378,7 @@ static int ssl23_client_hello(SSL *s)
355#endif 378#endif
356 379
357 p=s->s3->client_random; 380 p=s->s3->client_random;
358 Time=(unsigned long)time(NULL); /* Time */ 381 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
359 l2n(Time,p);
360 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
361 return -1; 382 return -1;
362 383
363 if (version == TLS1_2_VERSION) 384 if (version == TLS1_2_VERSION)
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index b63460a56d..53b9390fdd 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
161 161
162 i=s->method->ssl3_enc->final_finish_mac(s, 162 i=s->method->ssl3_enc->final_finish_mac(s,
163 sender,slen,s->s3->tmp.finish_md); 163 sender,slen,s->s3->tmp.finish_md);
164 if (i == 0)
165 return 0;
164 s->s3->tmp.finish_md_len = i; 166 s->s3->tmp.finish_md_len = i;
165 memcpy(p, s->s3->tmp.finish_md, i); 167 memcpy(p, s->s3->tmp.finish_md, i);
166 p+=i; 168 p+=i;
@@ -204,10 +206,15 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
204 206
205#ifndef OPENSSL_NO_NEXTPROTONEG 207#ifndef OPENSSL_NO_NEXTPROTONEG
206/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ 208/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
207static void ssl3_take_mac(SSL *s) { 209static void ssl3_take_mac(SSL *s)
210 {
208 const char *sender; 211 const char *sender;
209 int slen; 212 int slen;
210 213 /* If no new cipher setup return immediately: other functions will
214 * set the appropriate error.
215 */
216 if (s->s3->tmp.new_cipher == NULL)
217 return;
211 if (s->state & SSL_ST_CONNECT) 218 if (s->state & SSL_ST_CONNECT)
212 { 219 {
213 sender=s->method->ssl3_enc->server_finished_label; 220 sender=s->method->ssl3_enc->server_finished_label;
@@ -221,7 +228,7 @@ static void ssl3_take_mac(SSL *s) {
221 228
222 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 229 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
223 sender,slen,s->s3->tmp.peer_finish_md); 230 sender,slen,s->s3->tmp.peer_finish_md);
224} 231 }
225#endif 232#endif
226 233
227int ssl3_get_finished(SSL *s, int a, int b) 234int ssl3_get_finished(SSL *s, int a, int b)
@@ -231,8 +238,9 @@ int ssl3_get_finished(SSL *s, int a, int b)
231 unsigned char *p; 238 unsigned char *p;
232 239
233#ifdef OPENSSL_NO_NEXTPROTONEG 240#ifdef OPENSSL_NO_NEXTPROTONEG
234 /* the mac has already been generated when we received the change 241 /* the mac has already been generated when we received the
235 * cipher spec message and is in s->s3->tmp.peer_finish_md. */ 242 * change cipher spec message and is in s->s3->tmp.peer_finish_md.
243 */
236#endif 244#endif
237 245
238 n=s->method->ssl_get_message(s, 246 n=s->method->ssl_get_message(s,
@@ -263,7 +271,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
263 goto f_err; 271 goto f_err;
264 } 272 }
265 273
266 if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) 274 if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
267 { 275 {
268 al=SSL_AD_DECRYPT_ERROR; 276 al=SSL_AD_DECRYPT_ERROR;
269 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); 277 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
@@ -537,12 +545,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
537 s->init_num += i; 545 s->init_num += i;
538 n -= i; 546 n -= i;
539 } 547 }
548
540#ifndef OPENSSL_NO_NEXTPROTONEG 549#ifndef OPENSSL_NO_NEXTPROTONEG
541 /* If receiving Finished, record MAC of prior handshake messages for 550 /* If receiving Finished, record MAC of prior handshake messages for
542 * Finished verification. */ 551 * Finished verification. */
543 if (*s->init_buf->data == SSL3_MT_FINISHED) 552 if (*s->init_buf->data == SSL3_MT_FINISHED)
544 ssl3_take_mac(s); 553 ssl3_take_mac(s);
545#endif 554#endif
555
546 /* Feed this message into MAC computation. */ 556 /* Feed this message into MAC computation. */
547 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 557 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
548 if (s->msg_callback) 558 if (s->msg_callback)
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b80d052e1f..a6b3c01afa 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -459,7 +459,6 @@ int ssl3_connect(SSL *s)
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 460 if (ret <= 0) goto end;
461 461
462
463#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
464 s->state=SSL3_ST_CW_FINISHED_A; 463 s->state=SSL3_ST_CW_FINISHED_A;
465#else 464#else
@@ -656,7 +655,7 @@ int ssl3_client_hello(SSL *s)
656 unsigned char *buf; 655 unsigned char *buf;
657 unsigned char *p,*d; 656 unsigned char *p,*d;
658 int i; 657 int i;
659 unsigned long Time,l; 658 unsigned long l;
660#ifndef OPENSSL_NO_COMP 659#ifndef OPENSSL_NO_COMP
661 int j; 660 int j;
662 SSL_COMP *comp; 661 SSL_COMP *comp;
@@ -681,9 +680,8 @@ int ssl3_client_hello(SSL *s)
681 /* else use the pre-loaded session */ 680 /* else use the pre-loaded session */
682 681
683 p=s->s3->client_random; 682 p=s->s3->client_random;
684 Time=(unsigned long)time(NULL); /* Time */ 683
685 l2n(Time,p); 684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
686 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
687 goto err; 685 goto err;
688 686
689 /* Do the message type and length last */ 687 /* Do the message type and length last */
@@ -987,7 +985,10 @@ int ssl3_get_server_hello(SSL *s)
987 * client authentication. 985 * client authentication.
988 */ 986 */
989 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
988 {
989 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 990 goto f_err;
991 }
991 /* lets get the compression algorithm */ 992 /* lets get the compression algorithm */
992 /* COMPRESSION */ 993 /* COMPRESSION */
993#ifdef OPENSSL_NO_COMP 994#ifdef OPENSSL_NO_COMP
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index fb60cde8ee..c4ef2738d7 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1125 0, /* not implemented (non-ephemeral DH) */ 1125 0, /* not implemented (non-ephemeral DH) */
1126 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, 1126 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
1127 TLS1_CK_DH_DSS_WITH_AES_128_SHA256, 1127 TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
1128 SSL_kDHr, 1128 SSL_kDHd,
1129 SSL_aDH, 1129 SSL_aDH,
1130 SSL_AES128, 1130 SSL_AES128,
1131 SSL_SHA256, 1131 SSL_SHA256,
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1407 0, /* not implemented (non-ephemeral DH) */ 1407 0, /* not implemented (non-ephemeral DH) */
1408 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, 1408 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
1409 TLS1_CK_DH_DSS_WITH_AES_256_SHA256, 1409 TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
1410 SSL_kDHr, 1410 SSL_kDHd,
1411 SSL_aDH, 1411 SSL_aDH,
1412 SSL_AES256, 1412 SSL_AES256,
1413 SSL_SHA256, 1413 SSL_SHA256,
@@ -1683,7 +1683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1683 SSL_3DES, 1683 SSL_3DES,
1684 SSL_SHA1, 1684 SSL_SHA1,
1685 SSL_TLSV1, 1685 SSL_TLSV1,
1686 SSL_NOT_EXP|SSL_HIGH, 1686 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1687 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1687 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1688 168, 1688 168,
1689 168, 1689 168,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1699 SSL_AES128, 1699 SSL_AES128,
1700 SSL_SHA1, 1700 SSL_SHA1,
1701 SSL_TLSV1, 1701 SSL_TLSV1,
1702 SSL_NOT_EXP|SSL_HIGH, 1702 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1703 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1703 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1704 128, 1704 128,
1705 128, 1705 128,
@@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1715 SSL_AES256, 1715 SSL_AES256,
1716 SSL_SHA1, 1716 SSL_SHA1,
1717 SSL_TLSV1, 1717 SSL_TLSV1,
1718 SSL_NOT_EXP|SSL_HIGH, 1718 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1719 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1719 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1720 256, 1720 256,
1721 256, 1721 256,
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1958 0, 1958 0,
1959 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, 1959 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
1960 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, 1960 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
1961 SSL_kDHr, 1961 SSL_kDHd,
1962 SSL_aDH, 1962 SSL_aDH,
1963 SSL_AES128GCM, 1963 SSL_AES128GCM,
1964 SSL_AEAD, 1964 SSL_AEAD,
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1974 0, 1974 0,
1975 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, 1975 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
1976 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, 1976 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
1977 SSL_kDHr, 1977 SSL_kDHd,
1978 SSL_aDH, 1978 SSL_aDH,
1979 SSL_AES256GCM, 1979 SSL_AES256GCM,
1980 SSL_AEAD, 1980 SSL_AEAD,
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2669 1, 2669 1,
2670 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, 2670 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
2671 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, 2671 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
2672 SSL_kECDHe, 2672 SSL_kECDHr,
2673 SSL_aECDH, 2673 SSL_aECDH,
2674 SSL_AES128, 2674 SSL_AES128,
2675 SSL_SHA256, 2675 SSL_SHA256,
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2685 1, 2685 1,
2686 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, 2686 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
2687 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, 2687 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
2688 SSL_kECDHe, 2688 SSL_kECDHr,
2689 SSL_aECDH, 2689 SSL_aECDH,
2690 SSL_AES256, 2690 SSL_AES256,
2691 SSL_SHA384, 2691 SSL_SHA384,
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2799 1, 2799 1,
2800 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, 2800 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2801 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, 2801 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2802 SSL_kECDHe, 2802 SSL_kECDHr,
2803 SSL_aECDH, 2803 SSL_aECDH,
2804 SSL_AES128GCM, 2804 SSL_AES128GCM,
2805 SSL_AEAD, 2805 SSL_AEAD,
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2815 1, 2815 1,
2816 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, 2816 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2817 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, 2817 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2818 SSL_kECDHe, 2818 SSL_kECDHr,
2819 SSL_aECDH, 2819 SSL_aECDH,
2820 SSL_AES256GCM, 2820 SSL_AES256GCM,
2821 SSL_AEAD, 2821 SSL_AEAD,
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
3037 s->s3->tmp.ecdh = NULL; 3037 s->s3->tmp.ecdh = NULL;
3038 } 3038 }
3039#endif 3039#endif
3040#ifndef OPENSSL_NO_TLSEXT
3041#ifndef OPENSSL_NO_EC
3042 s->s3->is_probably_safari = 0;
3043#endif /* !OPENSSL_NO_EC */
3044#endif /* !OPENSSL_NO_TLSEXT */
3040 3045
3041 rp = s->s3->rbuf.buf; 3046 rp = s->s3->rbuf.buf;
3042 wp = s->s3->wbuf.buf; 3047 wp = s->s3->wbuf.buf;
@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
4016 ii=sk_SSL_CIPHER_find(allow,c); 4021 ii=sk_SSL_CIPHER_find(allow,c);
4017 if (ii >= 0) 4022 if (ii >= 0)
4018 { 4023 {
4024#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
4025 if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
4026 {
4027 if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
4028 continue;
4029 }
4030#endif
4019 ret=sk_SSL_CIPHER_value(allow,ii); 4031 ret=sk_SSL_CIPHER_value(allow,ii);
4020 break; 4032 break;
4021 } 4033 }
@@ -4274,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
4274long ssl_get_algorithm2(SSL *s) 4286long ssl_get_algorithm2(SSL *s)
4275 { 4287 {
4276 long alg2 = s->s3->tmp.new_cipher->algorithm2; 4288 long alg2 = s->s3->tmp.new_cipher->algorithm2;
4277 if (TLS1_get_version(s) >= TLS1_2_VERSION && 4289 if (s->method->version == TLS1_2_VERSION &&
4278 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) 4290 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
4279 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; 4291 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
4280 return alg2; 4292 return alg2;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index adf8c387cc..96ba63262e 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s)
290 unsigned char *p; 290 unsigned char *p;
291 unsigned char md[EVP_MAX_MD_SIZE]; 291 unsigned char md[EVP_MAX_MD_SIZE];
292 short version; 292 short version;
293 int mac_size; 293 unsigned mac_size, orig_len;
294 int clear=0;
295 size_t extra; 294 size_t extra;
296 int decryption_failed_or_bad_record_mac = 0;
297 unsigned char *mac = NULL;
298 295
299 rr= &(s->s3->rrec); 296 rr= &(s->s3->rrec);
300 sess=s->session; 297 sess=s->session;
@@ -338,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
338 if (version != s->version) 335 if (version != s->version)
339 { 336 {
340 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 337 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
341 if ((s->version & 0xFF00) == (version & 0xFF00)) 338 if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
342 /* Send back error using their minor version number :-) */ 339 /* Send back error using their minor version number :-) */
343 s->version = (unsigned short)version; 340 s->version = (unsigned short)version;
344 al=SSL_AD_PROTOCOL_VERSION; 341 al=SSL_AD_PROTOCOL_VERSION;
@@ -403,17 +400,15 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
403 rr->data=rr->input; 400 rr->data=rr->input;
404 401
405 enc_err = s->method->ssl3_enc->enc(s,0); 402 enc_err = s->method->ssl3_enc->enc(s,0);
406 if (enc_err <= 0) 403 /* enc_err is:
404 * 0: (in non-constant time) if the record is publically invalid.
405 * 1: if the padding is valid
406 * -1: if the padding is invalid */
407 if (enc_err == 0)
407 { 408 {
408 if (enc_err == 0) 409 al=SSL_AD_DECRYPTION_FAILED;
409 /* SSLerr() and ssl3_send_alert() have been called */ 410 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
410 goto err; 411 goto f_err;
411
412 /* Otherwise enc_err == -1, which indicates bad padding
413 * (rec->length has not been changed in this case).
414 * To minimize information leaked via timing, we will perform
415 * the MAC computation anyway. */
416 decryption_failed_or_bad_record_mac = 1;
417 } 412 }
418 413
419#ifdef TLS_DEBUG 414#ifdef TLS_DEBUG
@@ -423,53 +418,62 @@ printf("\n");
423#endif 418#endif
424 419
425 /* r->length is now the compressed data plus mac */ 420 /* r->length is now the compressed data plus mac */
426 if ( (sess == NULL) || 421 if ((sess != NULL) &&
427 (s->enc_read_ctx == NULL) || 422 (s->enc_read_ctx != NULL) &&
428 (EVP_MD_CTX_md(s->read_hash) == NULL)) 423 (EVP_MD_CTX_md(s->read_hash) != NULL))
429 clear=1;
430
431 if (!clear)
432 { 424 {
433 /* !clear => s->read_hash != NULL => mac_size != -1 */ 425 /* s->read_hash != NULL => mac_size != -1 */
426 unsigned char *mac = NULL;
427 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
434 mac_size=EVP_MD_CTX_size(s->read_hash); 428 mac_size=EVP_MD_CTX_size(s->read_hash);
435 OPENSSL_assert(mac_size >= 0); 429 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
436 430
437 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) 431 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
432 orig_len = rr->length+((unsigned int)rr->type>>8);
433
434 /* orig_len is the length of the record before any padding was
435 * removed. This is public information, as is the MAC in use,
436 * therefore we can safely process the record in a different
437 * amount of time if it's too short to possibly contain a MAC.
438 */
439 if (orig_len < mac_size ||
440 /* CBC records must have a padding length byte too. */
441 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
442 orig_len < mac_size+1))
438 { 443 {
439#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 444 al=SSL_AD_DECODE_ERROR;
440 al=SSL_AD_RECORD_OVERFLOW; 445 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
441 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
442 goto f_err; 446 goto f_err;
443#else
444 decryption_failed_or_bad_record_mac = 1;
445#endif
446 } 447 }
447 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 448
448 if (rr->length >= (unsigned int)mac_size) 449 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
449 { 450 {
451 /* We update the length so that the TLS header bytes
452 * can be constructed correctly but we need to extract
453 * the MAC in constant time from within the record,
454 * without leaking the contents of the padding bytes.
455 * */
456 mac = mac_tmp;
457 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
450 rr->length -= mac_size; 458 rr->length -= mac_size;
451 mac = &rr->data[rr->length];
452 } 459 }
453 else 460 else
454 { 461 {
455 /* record (minus padding) is too short to contain a MAC */ 462 /* In this case there's no padding, so |orig_len|
456#if 0 /* OK only for stream ciphers */ 463 * equals |rec->length| and we checked that there's
457 al=SSL_AD_DECODE_ERROR; 464 * enough bytes for |mac_size| above. */
458 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); 465 rr->length -= mac_size;
459 goto f_err; 466 mac = &rr->data[rr->length];
460#else
461 decryption_failed_or_bad_record_mac = 1;
462 rr->length = 0;
463#endif
464 }
465 i=s->method->ssl3_enc->mac(s,md,0);
466 if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
467 {
468 decryption_failed_or_bad_record_mac = 1;
469 } 467 }
468
469 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
470 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
471 enc_err = -1;
472 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
473 enc_err = -1;
470 } 474 }
471 475
472 if (decryption_failed_or_bad_record_mac) 476 if (enc_err < 0)
473 { 477 {
474 /* A separate 'decryption_failed' alert was introduced with TLS 1.0, 478 /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
475 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 479 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
@@ -744,6 +748,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
744 * bytes and record version number > TLS 1.0 748 * bytes and record version number > TLS 1.0
745 */ 749 */
746 if (s->state == SSL3_ST_CW_CLNT_HELLO_B 750 if (s->state == SSL3_ST_CW_CLNT_HELLO_B
751 && !s->renegotiate
747 && TLS1_get_version(s) > TLS1_VERSION) 752 && TLS1_get_version(s) > TLS1_VERSION)
748 *(p++) = 0x1; 753 *(p++) = 0x1;
749 else 754 else
@@ -1238,7 +1243,7 @@ start:
1238 goto f_err; 1243 goto f_err;
1239 } 1244 }
1240#ifdef SSL_AD_MISSING_SRP_USERNAME 1245#ifdef SSL_AD_MISSING_SRP_USERNAME
1241 if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) 1246 else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1242 return(0); 1247 return(0);
1243#endif 1248#endif
1244 } 1249 }
@@ -1454,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
1454 slen=s->method->ssl3_enc->client_finished_label_len; 1459 slen=s->method->ssl3_enc->client_finished_label_len;
1455 } 1460 }
1456 1461
1457 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 1462 i = s->method->ssl3_enc->final_finish_mac(s,
1458 sender,slen,s->s3->tmp.peer_finish_md); 1463 sender,slen,s->s3->tmp.peer_finish_md);
1464 if (i == 0)
1465 {
1466 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1467 return 0;
1468 }
1469 s->s3->tmp.peer_finish_md_len = i;
1459 1470
1460 return(1); 1471 return(1);
1461 } 1472 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 118939fabb..9ac19c05f2 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
191 { 191 {
192 if(s->srp_ctx.login == NULL) 192 if(s->srp_ctx.login == NULL)
193 { 193 {
194 /* There isn't any srp login extension !!! */ 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */
195 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 } 198 }
@@ -378,6 +379,7 @@ int ssl3_accept(SSL *s)
378 } 379 }
379 } 380 }
380#endif 381#endif
382
381 s->renegotiate = 2; 383 s->renegotiate = 2;
382 s->state=SSL3_ST_SW_SRVR_HELLO_A; 384 s->state=SSL3_ST_SW_SRVR_HELLO_A;
383 s->init_num=0; 385 s->init_num=0;
@@ -956,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
956 (s->version != DTLS1_VERSION && s->client_version < s->version)) 958 (s->version != DTLS1_VERSION && s->client_version < s->version))
957 { 959 {
958 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
959 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash)
960 { 963 {
961 /* similar to ssl3_get_record, send alert using remote version number */ 964 /* similar to ssl3_get_record, send alert using remote version number */
962 s->version = s->client_version; 965 s->version = s->client_version;
@@ -1181,7 +1184,7 @@ int ssl3_get_client_hello(SSL *s)
1181 goto f_err; 1184 goto f_err;
1182 } 1185 }
1183 } 1186 }
1184 if (ssl_check_clienthello_tlsext(s) <= 0) { 1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1185 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1186 goto err; 1189 goto err;
1187 } 1190 }
@@ -1191,12 +1194,9 @@ int ssl3_get_client_hello(SSL *s)
1191 * server_random before calling tls_session_secret_cb in order to allow 1194 * server_random before calling tls_session_secret_cb in order to allow
1192 * SessionTicket processing to use it in key derivation. */ 1195 * SessionTicket processing to use it in key derivation. */
1193 { 1196 {
1194 unsigned long Time;
1195 unsigned char *pos; 1197 unsigned char *pos;
1196 Time=(unsigned long)time(NULL); /* Time */
1197 pos=s->s3->server_random; 1198 pos=s->s3->server_random;
1198 l2n(Time,pos); 1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0)
1199 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1200 { 1200 {
1201 al=SSL_AD_INTERNAL_ERROR; 1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1202 goto f_err;
@@ -1389,7 +1389,10 @@ int ssl3_get_client_hello(SSL *s)
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
1390 { 1390 {
1391 if (!ssl3_digest_cached_records(s)) 1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR;
1392 goto f_err; 1394 goto f_err;
1395 }
1393 } 1396 }
1394 1397
1395 /* we now have the following setup. 1398 /* we now have the following setup.
@@ -1403,6 +1406,16 @@ int ssl3_get_client_hello(SSL *s)
1403 * s->tmp.new_cipher - the new cipher to use. 1406 * s->tmp.new_cipher - the new cipher to use.
1404 */ 1407 */
1405 1408
1409 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION)
1411 {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err;
1416 }
1417 }
1418
1406 if (ret < 0) ret=1; 1419 if (ret < 0) ret=1;
1407 if (0) 1420 if (0)
1408 { 1421 {
@@ -1420,19 +1433,13 @@ int ssl3_send_server_hello(SSL *s)
1420 unsigned char *p,*d; 1433 unsigned char *p,*d;
1421 int i,sl; 1434 int i,sl;
1422 unsigned long l; 1435 unsigned long l;
1423#ifdef OPENSSL_NO_TLSEXT
1424 unsigned long Time;
1425#endif
1426 1436
1427 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1428 { 1438 {
1429 buf=(unsigned char *)s->init_buf->data; 1439 buf=(unsigned char *)s->init_buf->data;
1430#ifdef OPENSSL_NO_TLSEXT 1440#ifdef OPENSSL_NO_TLSEXT
1431 p=s->s3->server_random; 1441 p=s->s3->server_random;
1432 /* Generate server_random if it was not needed previously */ 1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1433 Time=(unsigned long)time(NULL); /* Time */
1434 l2n(Time,p);
1435 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1436 return -1; 1443 return -1;
1437#endif 1444#endif
1438 /* Do the message type and length last */ 1445 /* Do the message type and length last */
@@ -1823,7 +1830,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1824 goto f_err; 1831 goto f_err;
1825 } 1832 }
1826 for (i=0; r[i] != NULL && i<4; i++) 1833 for (i=0; i < 4 && r[i] != NULL; i++)
1827 { 1834 {
1828 nr[i]=BN_num_bytes(r[i]); 1835 nr[i]=BN_num_bytes(r[i]);
1829#ifndef OPENSSL_NO_SRP 1836#ifndef OPENSSL_NO_SRP
@@ -1859,7 +1866,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1859 d=(unsigned char *)s->init_buf->data; 1866 d=(unsigned char *)s->init_buf->data;
1860 p= &(d[4]); 1867 p= &(d[4]);
1861 1868
1862 for (i=0; r[i] != NULL && i<4; i++) 1869 for (i=0; i < 4 && r[i] != NULL; i++)
1863 { 1870 {
1864#ifndef OPENSSL_NO_SRP 1871#ifndef OPENSSL_NO_SRP
1865 if ((i == 2) && (type & SSL_kSRP)) 1872 if ((i == 2) && (type & SSL_kSRP))
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 8b0c2a2dac..7219a0e64b 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
493 char *psk_identity_hint; 493 char *psk_identity_hint;
494 char *psk_identity; 494 char *psk_identity;
495#endif 495#endif
496 /* Used to indicate that session resumption is not allowed.
497 * Applications can also set this bit for a new session via
498 * not_resumable_session_cb to disable session caching and tickets. */
496 int not_resumable; 499 int not_resumable;
497 500
498 /* The cert is the certificate used to establish this connection */ 501 /* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@ struct ssl_session_st
535#endif /* OPENSSL_NO_EC */ 538#endif /* OPENSSL_NO_EC */
536 /* RFC4507 info */ 539 /* RFC4507 info */
537 unsigned char *tlsext_tick; /* Session ticket */ 540 unsigned char *tlsext_tick; /* Session ticket */
538 size_t tlsext_ticklen; /* Session ticket length */ 541 size_t tlsext_ticklen; /* Session ticket length */
539 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 542 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
540#endif 543#endif
541#ifndef OPENSSL_NO_SRP 544#ifndef OPENSSL_NO_SRP
@@ -552,11 +555,14 @@ struct ssl_session_st
552#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L 555#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
553#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L 556#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
554#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L 557#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
555#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ 558#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
556#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L 559#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
557#define SSL_OP_TLS_D5_BUG 0x00000100L 560#define SSL_OP_TLS_D5_BUG 0x00000100L
558#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L 561#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
559 562
563/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
564#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
565
560/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added 566/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
561 * in OpenSSL 0.9.6d. Usually (depending on the application protocol) 567 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
562 * the workaround is not needed. Unfortunately some broken SSL/TLS 568 * the workaround is not needed. Unfortunately some broken SSL/TLS
@@ -638,6 +644,12 @@ struct ssl_session_st
638 * TLS only.) "Released" buffers are put onto a free-list in the context 644 * TLS only.) "Released" buffers are put onto a free-list in the context
639 * or just freed (depending on the context's setting for freelist_max_len). */ 645 * or just freed (depending on the context's setting for freelist_max_len). */
640#define SSL_MODE_RELEASE_BUFFERS 0x00000010L 646#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
647/* Send the current time in the Random fields of the ClientHello and
648 * ServerHello records for compatibility with hypothetical implementations
649 * that require it.
650 */
651#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
652#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
641 653
642/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, 654/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
643 * they cannot be used to clear bits. */ 655 * they cannot be used to clear bits. */
@@ -903,7 +915,7 @@ struct ssl_ctx_st
903 */ 915 */
904 unsigned int max_send_fragment; 916 unsigned int max_send_fragment;
905 917
906#ifndef OPENSSL_ENGINE 918#ifndef OPENSSL_NO_ENGINE
907 /* Engine to pass requests for client certs to 919 /* Engine to pass requests for client certs to
908 */ 920 */
909 ENGINE *client_cert_engine; 921 ENGINE *client_cert_engine;
@@ -927,6 +939,7 @@ struct ssl_ctx_st
927 /* Callback for status request */ 939 /* Callback for status request */
928 int (*tlsext_status_cb)(SSL *ssl, void *arg); 940 int (*tlsext_status_cb)(SSL *ssl, void *arg);
929 void *tlsext_status_arg; 941 void *tlsext_status_arg;
942
930 /* draft-rescorla-tls-opaque-prf-input-00.txt information */ 943 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
931 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); 944 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
932 void *tlsext_opaque_prf_input_callback_arg; 945 void *tlsext_opaque_prf_input_callback_arg;
@@ -952,6 +965,7 @@ struct ssl_ctx_st
952#endif 965#endif
953 966
954#ifndef OPENSSL_NO_TLSEXT 967#ifndef OPENSSL_NO_TLSEXT
968
955# ifndef OPENSSL_NO_NEXTPROTONEG 969# ifndef OPENSSL_NO_NEXTPROTONEG
956 /* Next protocol negotiation information */ 970 /* Next protocol negotiation information */
957 /* (for experimental NPN extension). */ 971 /* (for experimental NPN extension). */
@@ -2206,6 +2220,7 @@ void ERR_load_SSL_strings(void);
2206#define SSL_F_SSL_GET_NEW_SESSION 181 2220#define SSL_F_SSL_GET_NEW_SESSION 181
2207#define SSL_F_SSL_GET_PREV_SESSION 217 2221#define SSL_F_SSL_GET_PREV_SESSION 217
2208#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 2222#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
2223#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
2209#define SSL_F_SSL_GET_SIGN_PKEY 183 2224#define SSL_F_SSL_GET_SIGN_PKEY 183
2210#define SSL_F_SSL_INIT_WBIO_BUFFER 184 2225#define SSL_F_SSL_INIT_WBIO_BUFFER 184
2211#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 2226#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 112e627de0..cb8b2492ec 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -539,6 +539,15 @@ typedef struct ssl3_state_st
539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */ 539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */
540 int next_proto_neg_seen; 540 int next_proto_neg_seen;
541#endif 541#endif
542
543#ifndef OPENSSL_NO_TLSEXT
544#ifndef OPENSSL_NO_EC
545 /* This is set to true if we believe that this is a version of Safari
546 * running on OS X 10.6 or newer. We wish to know this because Safari
547 * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
548 char is_probably_safari;
549#endif /* !OPENSSL_NO_EC */
550#endif /* !OPENSSL_NO_TLSEXT */
542 } SSL3_STATE; 551 } SSL3_STATE;
543 552
544#endif 553#endif
@@ -578,8 +587,10 @@ typedef struct ssl3_state_st
578#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) 587#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
579#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) 588#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
580#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) 589#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
590#ifndef OPENSSL_NO_NEXTPROTONEG
581#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) 591#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
582#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) 592#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
593#endif
583#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) 594#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
584#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) 595#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
585/* read from server */ 596/* read from server */
@@ -629,8 +640,10 @@ typedef struct ssl3_state_st
629#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) 640#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
630#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) 641#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
631#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) 642#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
643#ifndef OPENSSL_NO_NEXTPROTONEG
632#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) 644#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
633#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) 645#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
646#endif
634#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) 647#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
635#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) 648#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
636/* write to client */ 649/* write to client */
@@ -655,7 +668,9 @@ typedef struct ssl3_state_st
655#define SSL3_MT_CLIENT_KEY_EXCHANGE 16 668#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
656#define SSL3_MT_FINISHED 20 669#define SSL3_MT_FINISHED 20
657#define SSL3_MT_CERTIFICATE_STATUS 22 670#define SSL3_MT_CERTIFICATE_STATUS 22
671#ifndef OPENSSL_NO_NEXTPROTONEG
658#define SSL3_MT_NEXT_PROTO 67 672#define SSL3_MT_NEXT_PROTO 67
673#endif
659#define DTLS1_MT_HELLO_VERIFY_REQUEST 3 674#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
660 675
661 676
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index d443143c59..9c34d19725 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -94,6 +94,7 @@ int SSL_library_init(void)
94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); 94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); 95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
96#endif 96#endif
97
97#endif 98#endif
98#ifndef OPENSSL_NO_CAMELLIA 99#ifndef OPENSSL_NO_CAMELLIA
99 EVP_add_cipher(EVP_camellia_128_cbc()); 100 EVP_add_cipher(EVP_camellia_128_cbc());
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 917be31876..5123a89182 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert)
164 { 164 {
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA 166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); 167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
168#endif 168#endif
169#ifndef OPENSSL_NO_RSA 169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif 172#endif
173#ifndef OPENSSL_NO_ECDSA 173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); 174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 175#endif
176 } 176 }
177 177
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 92d1e94d6a..0aba8e048c 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={
312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, 312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, 313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, 314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
315 {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
315 316
316 /* export flag */ 317 /* export flag */
317 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, 318 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
@@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
1150 while ( ((ch >= 'A') && (ch <= 'Z')) || 1151 while ( ((ch >= 'A') && (ch <= 'Z')) ||
1151 ((ch >= '0') && (ch <= '9')) || 1152 ((ch >= '0') && (ch <= '9')) ||
1152 ((ch >= 'a') && (ch <= 'z')) || 1153 ((ch >= 'a') && (ch <= 'z')) ||
1153 (ch == '-')) 1154 (ch == '-') || (ch == '.'))
1154#else 1155#else
1155 while ( isalnum(ch) || (ch == '-')) 1156 while ( isalnum(ch) || (ch == '-') || (ch == '.'))
1156#endif 1157#endif
1157 { 1158 {
1158 ch = *(++l); 1159 ch = *(++l);
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 2577c6895a..370fb57e3b 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -228,6 +228,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, 228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, 229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, 230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
231{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"},
231{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, 232{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
232{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, 233{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
233{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, 234{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f82d071d6e..6dbc3c1f7d 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -597,8 +597,10 @@ void SSL_free(SSL *s)
597 OPENSSL_free(s->next_proto_negotiated); 597 OPENSSL_free(s->next_proto_negotiated);
598#endif 598#endif
599 599
600#ifndef OPENSSL_NO_SRTP
600 if (s->srtp_profiles) 601 if (s->srtp_profiles)
601 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); 602 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
603#endif
602 604
603 OPENSSL_free(s); 605 OPENSSL_free(s);
604 } 606 }
@@ -1795,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1795 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); 1797 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1796 1798
1797 ret->extra_certs=NULL; 1799 ret->extra_certs=NULL;
1798 ret->comp_methods=SSL_COMP_get_compression_methods(); 1800 /* No compression for DTLS */
1801 if (meth->version != DTLS1_VERSION)
1802 ret->comp_methods=SSL_COMP_get_compression_methods();
1799 1803
1800 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1804 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1801 1805
@@ -1952,8 +1956,10 @@ void SSL_CTX_free(SSL_CTX *a)
1952 a->comp_methods = NULL; 1956 a->comp_methods = NULL;
1953#endif 1957#endif
1954 1958
1959#ifndef OPENSSL_NO_SRTP
1955 if (a->srtp_profiles) 1960 if (a->srtp_profiles)
1956 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 1961 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1962#endif
1957 1963
1958#ifndef OPENSSL_NO_PSK 1964#ifndef OPENSSL_NO_PSK
1959 if (a->psk_identity_hint) 1965 if (a->psk_identity_hint)
@@ -2287,7 +2293,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2287#endif 2293#endif
2288 2294
2289/* THIS NEEDS CLEANING UP */ 2295/* THIS NEEDS CLEANING UP */
2290X509 *ssl_get_server_send_cert(SSL *s) 2296CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
2291 { 2297 {
2292 unsigned long alg_k,alg_a; 2298 unsigned long alg_k,alg_a;
2293 CERT *c; 2299 CERT *c;
@@ -2342,12 +2348,20 @@ X509 *ssl_get_server_send_cert(SSL *s)
2342 i=SSL_PKEY_GOST01; 2348 i=SSL_PKEY_GOST01;
2343 else /* if (alg_a & SSL_aNULL) */ 2349 else /* if (alg_a & SSL_aNULL) */
2344 { 2350 {
2345 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); 2351 SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
2346 return(NULL); 2352 return(NULL);
2347 } 2353 }
2348 if (c->pkeys[i].x509 == NULL) return(NULL);
2349 2354
2350 return(c->pkeys[i].x509); 2355 return c->pkeys + i;
2356 }
2357
2358X509 *ssl_get_server_send_cert(const SSL *s)
2359 {
2360 CERT_PKEY *cpk;
2361 cpk = ssl_get_server_send_pkey(s);
2362 if (!cpk)
2363 return NULL;
2364 return cpk->x509;
2351 } 2365 }
2352 2366
2353EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) 2367EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
@@ -2608,7 +2622,7 @@ const char *SSL_get_version(const SSL *s)
2608 return("TLSv1.2"); 2622 return("TLSv1.2");
2609 else if (s->version == TLS1_1_VERSION) 2623 else if (s->version == TLS1_1_VERSION)
2610 return("TLSv1.1"); 2624 return("TLSv1.1");
2611 if (s->version == TLS1_VERSION) 2625 else if (s->version == TLS1_VERSION)
2612 return("TLSv1"); 2626 return("TLSv1");
2613 else if (s->version == SSL3_VERSION) 2627 else if (s->version == SSL3_VERSION)
2614 return("SSLv3"); 2628 return("SSLv3");
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d87fd51cfa..e485907748 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -215,6 +215,15 @@
215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ 215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
216 *((c)++)=(unsigned char)(((l) )&0xff)) 216 *((c)++)=(unsigned char)(((l) )&0xff))
217 217
218#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
219 *((c)++)=(unsigned char)(((l)>>48)&0xff), \
220 *((c)++)=(unsigned char)(((l)>>40)&0xff), \
221 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
222 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
223 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
224 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
225 *((c)++)=(unsigned char)(((l) )&0xff))
226
218#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ 227#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
219 l|=((BN_ULLONG)(*((c)++)))<<32, \ 228 l|=((BN_ULLONG)(*((c)++)))<<32, \
220 l|=((BN_ULLONG)(*((c)++)))<<24, \ 229 l|=((BN_ULLONG)(*((c)++)))<<24, \
@@ -612,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
612extern SSL3_ENC_METHOD SSLv3_enc_data; 621extern SSL3_ENC_METHOD SSLv3_enc_data;
613extern SSL3_ENC_METHOD DTLSv1_enc_data; 622extern SSL3_ENC_METHOD DTLSv1_enc_data;
614 623
624#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
625
615#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ 626#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
616 s_get_meth) \ 627 s_get_meth) \
617const SSL_METHOD *func_name(void) \ 628const SSL_METHOD *func_name(void) \
@@ -830,13 +841,15 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
830int ssl_undefined_function(SSL *s); 841int ssl_undefined_function(SSL *s);
831int ssl_undefined_void_function(void); 842int ssl_undefined_void_function(void);
832int ssl_undefined_const_function(const SSL *s); 843int ssl_undefined_const_function(const SSL *s);
833X509 *ssl_get_server_send_cert(SSL *); 844CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
845X509 *ssl_get_server_send_cert(const SSL *);
834EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); 846EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
835int ssl_cert_type(X509 *x,EVP_PKEY *pkey); 847int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
836void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); 848void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
837STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); 849STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
838int ssl_verify_alarm_type(long type); 850int ssl_verify_alarm_type(long type);
839void ssl_load_ciphers(void); 851void ssl_load_ciphers(void);
852int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
840 853
841int ssl2_enc_init(SSL *s, int client); 854int ssl2_enc_init(SSL *s, int client);
842int ssl2_generate_key_material(SSL *s); 855int ssl2_generate_key_material(SSL *s);
@@ -1088,7 +1101,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
1088int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); 1101int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1089int ssl_prepare_clienthello_tlsext(SSL *s); 1102int ssl_prepare_clienthello_tlsext(SSL *s);
1090int ssl_prepare_serverhello_tlsext(SSL *s); 1103int ssl_prepare_serverhello_tlsext(SSL *s);
1091int ssl_check_clienthello_tlsext(SSL *s); 1104int ssl_check_clienthello_tlsext_early(SSL *s);
1105int ssl_check_clienthello_tlsext_late(SSL *s);
1092int ssl_check_serverhello_tlsext(SSL *s); 1106int ssl_check_serverhello_tlsext(SSL *s);
1093 1107
1094#ifndef OPENSSL_NO_HEARTBEATS 1108#ifndef OPENSSL_NO_HEARTBEATS
@@ -1131,4 +1145,33 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
1131int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); 1145int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1132int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); 1146int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1133 1147
1148/* s3_cbc.c */
1149void ssl3_cbc_copy_mac(unsigned char* out,
1150 const SSL3_RECORD *rec,
1151 unsigned md_size,unsigned orig_len);
1152int ssl3_cbc_remove_padding(const SSL* s,
1153 SSL3_RECORD *rec,
1154 unsigned block_size,
1155 unsigned mac_size);
1156int tls1_cbc_remove_padding(const SSL* s,
1157 SSL3_RECORD *rec,
1158 unsigned block_size,
1159 unsigned mac_size);
1160char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1161void ssl3_cbc_digest_record(
1162 const EVP_MD_CTX *ctx,
1163 unsigned char* md_out,
1164 size_t* md_out_size,
1165 const unsigned char header[13],
1166 const unsigned char *data,
1167 size_t data_plus_mac_size,
1168 size_t data_plus_mac_plus_padding_size,
1169 const unsigned char *mac_secret,
1170 unsigned mac_secret_length,
1171 char is_sslv3);
1172
1173void tls_fips_digest_extra(
1174 const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
1175 const unsigned char *data, size_t data_len, size_t orig_len);
1176
1134#endif 1177#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index c0960b5712..60e7b66859 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -710,7 +710,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
710 710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ 711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712 712
713 in=BIO_new(BIO_s_file_internal()); 713 in = BIO_new(BIO_s_file_internal());
714 if (in == NULL) 714 if (in == NULL)
715 { 715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); 716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
@@ -723,14 +723,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
723 goto end; 723 goto end;
724 } 724 }
725 725
726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); 726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
727 ctx->default_passwd_callback_userdata);
727 if (x == NULL) 728 if (x == NULL)
728 { 729 {
729 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); 730 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
730 goto end; 731 goto end;
731 } 732 }
732 733
733 ret=SSL_CTX_use_certificate(ctx,x); 734 ret = SSL_CTX_use_certificate(ctx, x);
735
734 if (ERR_peek_error() != 0) 736 if (ERR_peek_error() != 0)
735 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ 737 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
736 if (ret) 738 if (ret)
@@ -742,13 +744,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
742 int r; 744 int r;
743 unsigned long err; 745 unsigned long err;
744 746
745 if (ctx->extra_certs != NULL) 747 if (ctx->extra_certs != NULL)
746 { 748 {
747 sk_X509_pop_free(ctx->extra_certs, X509_free); 749 sk_X509_pop_free(ctx->extra_certs, X509_free);
748 ctx->extra_certs = NULL; 750 ctx->extra_certs = NULL;
749 } 751 }
750 752
751 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) 753 while ((ca = PEM_read_bio_X509(in, NULL,
754 ctx->default_passwd_callback,
755 ctx->default_passwd_callback_userdata))
752 != NULL) 756 != NULL)
753 { 757 {
754 r = SSL_CTX_add_extra_chain_cert(ctx, ca); 758 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index f7bdeb3b9d..0c4cddedf8 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which)
361 { 361 {
362 int i; 362 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++) 363 for (i=0; i<s->s3->tmp.key_block_length; i++)
364 printf("%02x", key_block[i]); printf("\n"); 364 printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 } 365 }
366#endif /* KSSL_DEBUG */ 366#endif /* KSSL_DEBUG */
367 367
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 else 415 else
416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 if (s->enc_write_ctx != NULL) 417 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
418 reuse_dd = 1; 418 reuse_dd = 1;
419 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 419 else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
420 goto err; 420 goto err;
421 else
422 /* make sure it's intialized in case we exit later with an error */
423 EVP_CIPHER_CTX_init(s->enc_write_ctx);
424 dd= s->enc_write_ctx; 421 dd= s->enc_write_ctx;
425 mac_ctx = ssl_replace_hash(&s->write_hash,NULL); 422 if (SSL_IS_DTLS(s))
423 {
424 mac_ctx = EVP_MD_CTX_create();
425 if (!mac_ctx)
426 goto err;
427 s->write_hash = mac_ctx;
428 }
429 else
430 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
426#ifndef OPENSSL_NO_COMP 431#ifndef OPENSSL_NO_COMP
427 if (s->compress != NULL) 432 if (s->compress != NULL)
428 { 433 {
@@ -667,12 +672,21 @@ err:
667 return(ret); 672 return(ret);
668 } 673 }
669 674
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 *
677 * Returns:
678 * 0: (in non-constant time) if the record is publically invalid (i.e. too
679 * short etc).
680 * 1: if the record's padding is valid / the encryption was successful.
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured.
683 */
670int tls1_enc(SSL *s, int send) 684int tls1_enc(SSL *s, int send)
671 { 685 {
672 SSL3_RECORD *rec; 686 SSL3_RECORD *rec;
673 EVP_CIPHER_CTX *ds; 687 EVP_CIPHER_CTX *ds;
674 unsigned long l; 688 unsigned long l;
675 int bs,i,ii,j,k,pad=0; 689 int bs,i,j,k,pad=0,ret,mac_size=0;
676 const EVP_CIPHER *enc; 690 const EVP_CIPHER *enc;
677 691
678 if (send) 692 if (send)
@@ -729,11 +743,11 @@ int tls1_enc(SSL *s, int send)
729 printf("tls1_enc(%d)\n", send); 743 printf("tls1_enc(%d)\n", send);
730#endif /* KSSL_DEBUG */ 744#endif /* KSSL_DEBUG */
731 745
732 if ((s->session == NULL) || (ds == NULL) || 746 if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
733 (enc == NULL))
734 { 747 {
735 memmove(rec->data,rec->input,rec->length); 748 memmove(rec->data,rec->input,rec->length);
736 rec->input=rec->data; 749 rec->input=rec->data;
750 ret = 1;
737 } 751 }
738 else 752 else
739 { 753 {
@@ -797,13 +811,13 @@ int tls1_enc(SSL *s, int send)
797 811
798#ifdef KSSL_DEBUG 812#ifdef KSSL_DEBUG
799 { 813 {
800 unsigned long ui; 814 unsigned long ui;
801 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 815 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
802 ds,rec->data,rec->input,l); 816 ds,rec->data,rec->input,l);
803 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 817 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
804 ds->buf_len, ds->cipher->key_len, 818 ds->buf_len, ds->cipher->key_len,
805 DES_KEY_SZ, DES_SCHEDULE_SZ, 819 DES_KEY_SZ, DES_SCHEDULE_SZ,
806 ds->cipher->iv_len); 820 ds->cipher->iv_len);
807 printf("\t\tIV: "); 821 printf("\t\tIV: ");
808 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 822 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
809 printf("\n"); 823 printf("\n");
@@ -816,13 +830,7 @@ int tls1_enc(SSL *s, int send)
816 if (!send) 830 if (!send)
817 { 831 {
818 if (l == 0 || l%bs != 0) 832 if (l == 0 || l%bs != 0)
819 {
820 if (s->version >= TLS1_1_VERSION)
821 return -1;
822 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
823 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
824 return 0; 833 return 0;
825 }
826 } 834 }
827 835
828 i = EVP_Cipher(ds,rec->data,rec->input,l); 836 i = EVP_Cipher(ds,rec->data,rec->input,l);
@@ -839,68 +847,24 @@ int tls1_enc(SSL *s, int send)
839 847
840#ifdef KSSL_DEBUG 848#ifdef KSSL_DEBUG
841 { 849 {
842 unsigned long i; 850 unsigned long i;
843 printf("\trec->data="); 851 printf("\trec->data=");
844 for (i=0; i<l; i++) 852 for (i=0; i<l; i++)
845 printf(" %02x", rec->data[i]); printf("\n"); 853 printf(" %02x", rec->data[i]); printf("\n");
846 } 854 }
847#endif /* KSSL_DEBUG */ 855#endif /* KSSL_DEBUG */
848 856
857 ret = 1;
858 if (EVP_MD_CTX_md(s->read_hash) != NULL)
859 mac_size = EVP_MD_CTX_size(s->read_hash);
849 if ((bs != 1) && !send) 860 if ((bs != 1) && !send)
850 { 861 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
851 ii=i=rec->data[l-1]; /* padding_length */
852 i++;
853 /* NB: if compression is in operation the first packet
854 * may not be of even length so the padding bug check
855 * cannot be performed. This bug workaround has been
856 * around since SSLeay so hopefully it is either fixed
857 * now or no buggy implementation supports compression
858 * [steve]
859 */
860 if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
861 && !s->expand)
862 {
863 /* First packet is even in size, so check */
864 if ((memcmp(s->s3->read_sequence,
865 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
866 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
867 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
868 i--;
869 }
870 /* TLS 1.0 does not bound the number of padding bytes by the block size.
871 * All of them must have value 'padding_length'. */
872 if (i > (int)rec->length)
873 {
874 /* Incorrect padding. SSLerr() and ssl3_alert are done
875 * by caller: we don't want to reveal whether this is
876 * a decryption error or a MAC verification failure
877 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
878 return -1;
879 }
880 for (j=(int)(l-i); j<(int)l; j++)
881 {
882 if (rec->data[j] != ii)
883 {
884 /* Incorrect padding */
885 return -1;
886 }
887 }
888 rec->length -=i;
889 if (s->version >= TLS1_1_VERSION
890 && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
891 {
892 if (bs > (int)rec->length)
893 return -1;
894 rec->data += bs; /* skip the explicit IV */
895 rec->input += bs;
896 rec->length -= bs;
897 }
898 }
899 if (pad && !send) 862 if (pad && !send)
900 rec->length -= pad; 863 rec->length -= pad;
901 } 864 }
902 return(1); 865 return ret;
903 } 866 }
867
904int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 868int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
905 { 869 {
906 unsigned int ret; 870 unsigned int ret;
@@ -956,18 +920,19 @@ int tls1_final_finish_mac(SSL *s,
956 if (mask & ssl_get_algorithm2(s)) 920 if (mask & ssl_get_algorithm2(s))
957 { 921 {
958 int hashsize = EVP_MD_size(md); 922 int hashsize = EVP_MD_size(md);
959 if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 923 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
924 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
960 { 925 {
961 /* internal error: 'buf' is too small for this cipersuite! */ 926 /* internal error: 'buf' is too small for this cipersuite! */
962 err = 1; 927 err = 1;
963 } 928 }
964 else 929 else
965 { 930 {
966 EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); 931 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
967 EVP_DigestFinal_ex(&ctx,q,&i); 932 !EVP_DigestFinal_ex(&ctx,q,&i) ||
968 if (i != (unsigned int)hashsize) /* can't really happen */ 933 (i != (unsigned int)hashsize))
969 err = 1; 934 err = 1;
970 q+=i; 935 q+=hashsize;
971 } 936 }
972 } 937 }
973 } 938 }
@@ -990,10 +955,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
990 SSL3_RECORD *rec; 955 SSL3_RECORD *rec;
991 unsigned char *seq; 956 unsigned char *seq;
992 EVP_MD_CTX *hash; 957 EVP_MD_CTX *hash;
993 size_t md_size; 958 size_t md_size, orig_len;
994 int i; 959 int i;
995 EVP_MD_CTX hmac, *mac_ctx; 960 EVP_MD_CTX hmac, *mac_ctx;
996 unsigned char buf[5]; 961 unsigned char header[13];
997 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); 962 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
998 int t; 963 int t;
999 964
@@ -1014,12 +979,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1014 OPENSSL_assert(t >= 0); 979 OPENSSL_assert(t >= 0);
1015 md_size=t; 980 md_size=t;
1016 981
1017 buf[0]=rec->type;
1018 buf[1]=(unsigned char)(ssl->version>>8);
1019 buf[2]=(unsigned char)(ssl->version);
1020 buf[3]=rec->length>>8;
1021 buf[4]=rec->length&0xff;
1022
1023 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 982 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1024 if (stream_mac) 983 if (stream_mac)
1025 { 984 {
@@ -1027,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1027 } 986 }
1028 else 987 else
1029 { 988 {
1030 EVP_MD_CTX_copy(&hmac,hash); 989 if (!EVP_MD_CTX_copy(&hmac,hash))
990 return -1;
1031 mac_ctx = &hmac; 991 mac_ctx = &hmac;
1032 } 992 }
1033 993
@@ -1038,17 +998,55 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1038 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 998 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
1039 memcpy (p,&seq[2],6); 999 memcpy (p,&seq[2],6);
1040 1000
1041 EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); 1001 memcpy(header, dtlsseq, 8);
1042 } 1002 }
1043 else 1003 else
1044 EVP_DigestSignUpdate(mac_ctx,seq,8); 1004 memcpy(header, seq, 8);
1005
1006 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1007 orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
1008 rec->type &= 0xff;
1045 1009
1046 EVP_DigestSignUpdate(mac_ctx,buf,5); 1010 header[8]=rec->type;
1047 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); 1011 header[9]=(unsigned char)(ssl->version>>8);
1048 t=EVP_DigestSignFinal(mac_ctx,md,&md_size); 1012 header[10]=(unsigned char)(ssl->version);
1049 OPENSSL_assert(t > 0); 1013 header[11]=(rec->length)>>8;
1014 header[12]=(rec->length)&0xff;
1015
1016 if (!send &&
1017 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1018 ssl3_cbc_record_digest_supported(mac_ctx))
1019 {
1020 /* This is a CBC-encrypted record. We must avoid leaking any
1021 * timing-side channel information about how many blocks of
1022 * data we are hashing because that gives an attacker a
1023 * timing-oracle. */
1024 ssl3_cbc_digest_record(
1025 mac_ctx,
1026 md, &md_size,
1027 header, rec->input,
1028 rec->length + md_size, orig_len,
1029 ssl->s3->read_mac_secret,
1030 ssl->s3->read_mac_secret_size,
1031 0 /* not SSLv3 */);
1032 }
1033 else
1034 {
1035 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
1036 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
1037 t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
1038 OPENSSL_assert(t > 0);
1039#ifdef OPENSSL_FIPS
1040 if (!send && FIPS_mode())
1041 tls_fips_digest_extra(
1042 ssl->enc_read_ctx,
1043 mac_ctx, rec->input,
1044 rec->length, orig_len);
1045#endif
1046 }
1050 1047
1051 if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); 1048 if (!stream_mac)
1049 EVP_MD_CTX_cleanup(&hmac);
1052#ifdef TLS_DEBUG 1050#ifdef TLS_DEBUG
1053printf("sec="); 1051printf("sec=");
1054{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 1052{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 27c8e3460d..bddffd92cc 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
342#ifndef OPENSSL_NO_SHA 342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1) 343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif 344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348}; 345};
349 346
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 347int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 { 348 {
352 size_t slen = sizeof(tls12_sigalgs); 349 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p) 350 if (p)
359 memcpy(p, tls12_sigalgs, slen); 351 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen; 352 return (int)slen;
@@ -649,6 +641,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
649 } 641 }
650#endif 642#endif
651 643
644#ifndef OPENSSL_NO_SRTP
652 if(SSL_get_srtp_profiles(s)) 645 if(SSL_get_srtp_profiles(s))
653 { 646 {
654 int el; 647 int el;
@@ -667,6 +660,37 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
667 } 660 }
668 ret += el; 661 ret += el;
669 } 662 }
663#endif
664
665#ifdef TLSEXT_TYPE_padding
666 /* Add padding to workaround bugs in F5 terminators.
667 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
668 *
669 * NB: because this code works out the length of all existing
670 * extensions it MUST always appear last.
671 */
672 {
673 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200)
680 {
681 hlen = 0x200 - hlen;
682 if (hlen >= 4)
683 hlen -= 4;
684 else
685 hlen = 0;
686
687 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret);
689 memset(ret, 0, hlen);
690 ret += hlen;
691 }
692 }
693#endif
670 694
671 if ((extdatalen = ret-p-2)== 0) 695 if ((extdatalen = ret-p-2)== 0)
672 return p; 696 return p;
@@ -781,6 +805,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
781 } 805 }
782#endif 806#endif
783 807
808#ifndef OPENSSL_NO_SRTP
784 if(s->srtp_profile) 809 if(s->srtp_profile)
785 { 810 {
786 int el; 811 int el;
@@ -799,6 +824,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
799 } 824 }
800 ret+=el; 825 ret+=el;
801 } 826 }
827#endif
802 828
803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
@@ -862,6 +888,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
862 return ret; 888 return ret;
863 } 889 }
864 890
891#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X
893 * SecureTransport using the TLS extension block in |d|, of length |n|.
894 * Safari, since 10.6, sends exactly these extensions, in this order:
895 * SNI,
896 * elliptic_curves
897 * ec_point_formats
898 *
899 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
900 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work).
903 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */
908 0x00, 0x08, /* 8 bytes */
909 0x00, 0x06, /* 6 bytes of curve ids */
910 0x00, 0x17, /* P-256 */
911 0x00, 0x18, /* P-384 */
912 0x00, 0x19, /* P-521 */
913
914 0x00, 0x0b, /* ec_point_formats */
915 0x00, 0x02, /* 2 bytes */
916 0x01, /* 1 point format */
917 0x00, /* uncompressed */
918 };
919
920 /* The following is only present in TLS 1.2 */
921 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
922 0x00, 0x0d, /* signature_algorithms */
923 0x00, 0x0c, /* 12 bytes */
924 0x00, 0x0a, /* 10 bytes */
925 0x05, 0x01, /* SHA-384/RSA */
926 0x04, 0x01, /* SHA-256/RSA */
927 0x02, 0x01, /* SHA-1/RSA */
928 0x04, 0x03, /* SHA-256/ECDSA */
929 0x02, 0x03, /* SHA-1/ECDSA */
930 };
931
932 if (data >= (d+n-2))
933 return;
934 data += 2;
935
936 if (data > (d+n-4))
937 return;
938 n2s(data,type);
939 n2s(data,size);
940
941 if (type != TLSEXT_TYPE_server_name)
942 return;
943
944 if (data+size > d+n)
945 return;
946 data += size;
947
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952
953 if (data + len1 + len2 != d+n)
954 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return;
959 }
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock);
963
964 if (data + len != d+n)
965 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return;
968 }
969
970 s->s3->is_probably_safari = 1;
971}
972#endif /* !OPENSSL_NO_EC */
973
865int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866 { 975 {
867 unsigned short type; 976 unsigned short type;
@@ -882,6 +991,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif 992#endif
884 993
994#ifndef OPENSSL_NO_EC
995 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
996 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */
998
885 if (data >= (d+n-2)) 999 if (data >= (d+n-2))
886 goto ri_check; 1000 goto ri_check;
887 n2s(data,len); 1001 n2s(data,len);
@@ -1077,7 +1191,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1077 int ellipticcurvelist_length = (*(sdata++) << 8); 1191 int ellipticcurvelist_length = (*(sdata++) << 8);
1078 ellipticcurvelist_length += (*(sdata++)); 1192 ellipticcurvelist_length += (*(sdata++));
1079 1193
1080 if (ellipticcurvelist_length != size - 2) 1194 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1)
1081 { 1196 {
1082 *al = TLS1_AD_DECODE_ERROR; 1197 *al = TLS1_AD_DECODE_ERROR;
1083 return 0; 1198 return 0;
@@ -1176,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1176 } 1291 }
1177 } 1292 }
1178 else if (type == TLSEXT_TYPE_status_request && 1293 else if (type == TLSEXT_TYPE_status_request &&
1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1294 s->version != DTLS1_VERSION)
1180 { 1295 {
1181 1296
1182 if (size < 5) 1297 if (size < 5)
@@ -1328,12 +1443,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1328#endif 1443#endif
1329 1444
1330 /* session ticket processed earlier */ 1445 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP
1331 else if (type == TLSEXT_TYPE_use_srtp) 1447 else if (type == TLSEXT_TYPE_use_srtp)
1332 { 1448 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al)) 1450 al))
1335 return 0; 1451 return 0;
1336 } 1452 }
1453#endif
1337 1454
1338 data+=size; 1455 data+=size;
1339 } 1456 }
@@ -1433,7 +1550,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1433 unsigned char *sdata = data; 1550 unsigned char *sdata = data;
1434 int ecpointformatlist_length = *(sdata++); 1551 int ecpointformatlist_length = *(sdata++);
1435 1552
1436 if (ecpointformatlist_length != size - 1) 1553 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1)
1437 { 1555 {
1438 *al = TLS1_AD_DECODE_ERROR; 1556 *al = TLS1_AD_DECODE_ERROR;
1439 return 0; 1557 return 0;
@@ -1527,7 +1645,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1527 unsigned char selected_len; 1645 unsigned char selected_len;
1528 1646
1529 /* We must have requested it. */ 1647 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL)) 1648 if (s->ctx->next_proto_select_cb == NULL)
1531 { 1649 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0; 1651 return 0;
@@ -1577,12 +1695,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1577 } 1695 }
1578 } 1696 }
1579#endif 1697#endif
1698#ifndef OPENSSL_NO_SRTP
1580 else if (type == TLSEXT_TYPE_use_srtp) 1699 else if (type == TLSEXT_TYPE_use_srtp)
1581 { 1700 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al)) 1702 al))
1584 return 0; 1703 return 0;
1585 } 1704 }
1705#endif
1586 1706
1587 data+=size; 1707 data+=size;
1588 } 1708 }
@@ -1763,7 +1883,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1763 return 1; 1883 return 1;
1764 } 1884 }
1765 1885
1766int ssl_check_clienthello_tlsext(SSL *s) 1886int ssl_check_clienthello_tlsext_early(SSL *s)
1767 { 1887 {
1768 int ret=SSL_TLSEXT_ERR_NOACK; 1888 int ret=SSL_TLSEXT_ERR_NOACK;
1769 int al = SSL_AD_UNRECOGNIZED_NAME; 1889 int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1782,42 +1902,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
1782 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1783 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784 1904
1785 /* If status request then ask callback what to do.
1786 * Note: this must be called after servername callbacks in case
1787 * the certificate has changed.
1788 */
1789 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790 {
1791 int r;
1792 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793 switch (r)
1794 {
1795 /* We don't want to send a status request response */
1796 case SSL_TLSEXT_ERR_NOACK:
1797 s->tlsext_status_expected = 0;
1798 break;
1799 /* status request response should be sent */
1800 case SSL_TLSEXT_ERR_OK:
1801 if (s->tlsext_ocsp_resp)
1802 s->tlsext_status_expected = 1;
1803 else
1804 s->tlsext_status_expected = 0;
1805 break;
1806 /* something bad happened */
1807 case SSL_TLSEXT_ERR_ALERT_FATAL:
1808 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809 al = SSL_AD_INTERNAL_ERROR;
1810 goto err;
1811 }
1812 }
1813 else
1814 s->tlsext_status_expected = 0;
1815
1816#ifdef TLSEXT_TYPE_opaque_prf_input 1905#ifdef TLSEXT_TYPE_opaque_prf_input
1817 { 1906 {
1818 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819 * but we might be sending an alert in response to the client hello, 1908 * but we might be sending an alert in response to the client hello,
1820 * so this has to happen here in ssl_check_clienthello_tlsext(). */ 1909 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */
1821 1911
1822 int r = 1; 1912 int r = 1;
1823 1913
@@ -1869,8 +1959,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
1869 } 1959 }
1870 } 1960 }
1871 1961
1872#endif
1873 err: 1962 err:
1963#endif
1874 switch (ret) 1964 switch (ret)
1875 { 1965 {
1876 case SSL_TLSEXT_ERR_ALERT_FATAL: 1966 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1888,6 +1978,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
1888 } 1978 }
1889 } 1979 }
1890 1980
1981int ssl_check_clienthello_tlsext_late(SSL *s)
1982 {
1983 int ret = SSL_TLSEXT_ERR_OK;
1984 int al;
1985
1986 /* If status request then ask callback what to do.
1987 * Note: this must be called after servername callbacks in case
1988 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent
1990 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1992 {
1993 int r;
1994 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL)
1998 {
1999 s->tlsext_status_expected = 0;
2000 return 1;
2001 }
2002 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up.
2004 */
2005 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r)
2008 {
2009 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0;
2012 break;
2013 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1;
2017 else
2018 s->tlsext_status_expected = 0;
2019 break;
2020 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR;
2024 goto err;
2025 }
2026 }
2027 else
2028 s->tlsext_status_expected = 0;
2029
2030 err:
2031 switch (ret)
2032 {
2033 case SSL_TLSEXT_ERR_ALERT_FATAL:
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036
2037 case SSL_TLSEXT_ERR_ALERT_WARNING:
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040
2041 default:
2042 return 1;
2043 }
2044 }
2045
1891int ssl_check_serverhello_tlsext(SSL *s) 2046int ssl_check_serverhello_tlsext(SSL *s)
1892 { 2047 {
1893 int ret=SSL_TLSEXT_ERR_NOACK; 2048 int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2189,7 +2344,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2189 HMAC_Update(&hctx, etick, eticklen); 2344 HMAC_Update(&hctx, etick, eticklen);
2190 HMAC_Final(&hctx, tick_hmac, NULL); 2345 HMAC_Final(&hctx, tick_hmac, NULL);
2191 HMAC_CTX_cleanup(&hctx); 2346 HMAC_CTX_cleanup(&hctx);
2192 if (memcmp(tick_hmac, etick + eticklen, mlen)) 2347 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2193 return 2; 2348 return 2;
2194 /* Attempt to decrypt session data */ 2349 /* Attempt to decrypt session data */
2195 /* Move p after IV to start of encrypted ticket, update length */ 2350 /* Move p after IV to start of encrypted ticket, update length */
@@ -2319,14 +2474,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 { 2474 {
2320 switch(hash_alg) 2475 switch(hash_alg)
2321 { 2476 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA 2477#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1: 2478 case TLSEXT_hash_sha1:
2332 return EVP_sha1(); 2479 return EVP_sha1();
@@ -2414,7 +2561,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2414 */ 2561 */
2415#ifndef OPENSSL_NO_DSA 2562#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2563 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); 2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2418#endif 2565#endif
2419#ifndef OPENSSL_NO_RSA 2566#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2425,7 +2572,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2425#endif 2572#endif
2426#ifndef OPENSSL_NO_ECDSA 2573#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest) 2574 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); 2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2429#endif 2576#endif
2430 return 1; 2577 return 1;
2431 } 2578 }
@@ -2441,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
2441 unsigned int payload; 2588 unsigned int payload;
2442 unsigned int padding = 16; /* Use minimum padding */ 2589 unsigned int padding = 16; /* Use minimum padding */
2443 2590
2444 /* Read type and payload length first */
2445 hbtype = *p++;
2446 n2s(p, payload);
2447 pl = p;
2448
2449 if (s->msg_callback) 2591 if (s->msg_callback)
2450 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2592 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 &s->s3->rrec.data[0], s->s3->rrec.length, 2593 &s->s3->rrec.data[0], s->s3->rrec.length,
2452 s, s->msg_callback_arg); 2594 s, s->msg_callback_arg);
2453 2595
2596 /* Read type and payload length first */
2597 if (1 + 2 + 16 > s->s3->rrec.length)
2598 return 0; /* silently discard */
2599 hbtype = *p++;
2600 n2s(p, payload);
2601 if (1 + 2 + payload + 16 > s->s3->rrec.length)
2602 return 0; /* silently discard per RFC 6520 sec. 4 */
2603 pl = p;
2604
2454 if (hbtype == TLS1_HB_REQUEST) 2605 if (hbtype == TLS1_HB_REQUEST)
2455 { 2606 {
2456 unsigned char *buffer, *bp; 2607 unsigned char *buffer, *bp;
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl
index c938bcf00d..dfef799be2 100644
--- a/src/lib/libssl/test/cms-test.pl
+++ b/src/lib/libssl/test/cms-test.pl
@@ -415,8 +415,10 @@ sub run_smime_tests {
415} 415}
416 416
417sub cmp_files { 417sub cmp_files {
418 use FileHandle;
418 my ( $f1, $f2 ) = @_; 419 my ( $f1, $f2 ) = @_;
419 my ( $fp1, $fp2 ); 420 my $fp1 = FileHandle->new();
421 my $fp2 = FileHandle->new();
420 422
421 my ( $rd1, $rd2 ); 423 my ( $rd1, $rd2 );
422 424
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index 5ae4dc8720..4e8542b556 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
119echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify 119echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
120$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 120$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
121 121
122echo "Testing ciphersuites"
123for protocol in TLSv1.2 SSLv3; do
124 echo "Testing ciphersuites for $protocol"
125 for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
126 echo "Testing $cipher"
127 prot=""
128 if [ $protocol = "SSLv3" ] ; then
129 prot="-ssl3"
130 fi
131 $ssltest -cipher $cipher $prot
132 if [ $? -ne 0 ] ; then
133 echo "Failed $cipher"
134 exit 1
135 fi
136 done
137done
138
122############################################################################# 139#############################################################################
123 140
124if ../util/shlib_wrap.sh ../apps/openssl no-dh; then 141if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index c39c267f0b..c992091e30 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -230,6 +230,12 @@ extern "C" {
230/* ExtensionType value from RFC5620 */ 230/* ExtensionType value from RFC5620 */
231#define TLSEXT_TYPE_heartbeat 15 231#define TLSEXT_TYPE_heartbeat 15
232 232
233/* ExtensionType value for TLS padding extension.
234 * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
235 * http://tools.ietf.org/html/draft-agl-tls-padding-03
236 */
237#define TLSEXT_TYPE_padding 21
238
233/* ExtensionType value from RFC4507 */ 239/* ExtensionType value from RFC4507 */
234#define TLSEXT_TYPE_session_ticket 35 240#define TLSEXT_TYPE_session_ticket 35
235 241