8 files changed, 60 insertions, 80 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 848de8c268..9ccc67acb9 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s)
 {
        STACK_OF(SSL_CIPHER)    *sk;
        const SSL_CIPHER        *c;
-        unsigned char           *p, *d;
+        unsigned char           *p, *q, *d;
        int                      i, al, ok;
-        unsigned int             j;
+        unsigned int             j, cipher_id;
+        uint16_t                 cipher_value;
        long                     n;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
@@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s)
        p += SSL3_RANDOM_SIZE;
        /* get the session-id */
-        j= *(p++);
+        j = *(p++);
        if ((j > sizeof s->session->session_id) ||
            (j > SSL3_SESSION_ID_SIZE)) {
@@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s)
        if (p + j + 2 - d > n)
                goto truncated;
+        /* Get the cipher value. */
+        q = p + j;
+        n2s(q, cipher_value);
+        cipher_id = SSL3_CK_ID | cipher_value;
        /*
         * Check if we want to resume the session based on external
         * pre-shared secret
@@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s)
                    &s->session->master_key_length, NULL, &pref_cipher,
                    s->tls_session_secret_cb_arg)) {
                        s->session->cipher = pref_cipher ?
-                            pref_cipher : ssl3_get_cipher_by_char(p + j);
+                            pref_cipher : ssl3_get_cipher_by_id(cipher_id);
                        s->s3->flags |= SSL3_FLAGS_CCS_OK;
                }
        }
@@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s)
                        }
                }
                s->session->session_id_length = j;
-                memcpy(s->session->session_id,p,j); /* j could be 0 */
+                memcpy(s->session->session_id, p, j); /* j could be 0 */
        }
        p += j;
-        c = ssl3_get_cipher_by_char(p);
+        c = ssl3_get_cipher_by_id(cipher_id);
        if (c == NULL) {
                /* unknown cipher */
                al = SSL_AD_ILLEGAL_PARAMETER;
@@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s)
                    SSL_R_UNKNOWN_CIPHER_RETURNED);
                goto f_err;
        }
        /* TLS v1.2 only ciphersuites require v1.2 or later */
        if ((c->algorithm_ssl & SSL_TLSV1_2) &&
            (TLS1_get_version(s) < TLS1_2_VERSION)) {
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 1d84effeea..1578f0388d 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
        return (1);
 }
-/* This function needs to check if the ciphers required are actually
- * available */
-const SSL_CIPHER *
-ssl3_get_cipher_by_char(const unsigned char *p)
-{
-        SSL_CIPHER               c;
-        const SSL_CIPHER        *cp;
-        unsigned long            id;
-        id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1];
-        c.id = id;
-        cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
-#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
-        if (cp == NULL)
-                fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]);
-#endif
-        if (cp == NULL || cp->valid == 0)
-                return NULL;
-        else
-                return cp;
-}
 int
 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 {
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 848de8c268..9ccc67acb9 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */
+/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s)
 {
        STACK_OF(SSL_CIPHER)    *sk;
        const SSL_CIPHER        *c;
-        unsigned char           *p, *d;
+        unsigned char           *p, *q, *d;
        int                      i, al, ok;
-        unsigned int             j;
+        unsigned int             j, cipher_id;
+        uint16_t                 cipher_value;
        long                     n;
        n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
@@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s)
        p += SSL3_RANDOM_SIZE;
        /* get the session-id */
-        j= *(p++);
+        j = *(p++);
        if ((j > sizeof s->session->session_id) ||
            (j > SSL3_SESSION_ID_SIZE)) {
@@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s)
        if (p + j + 2 - d > n)
                goto truncated;
+        /* Get the cipher value. */
+        q = p + j;
+        n2s(q, cipher_value);
+        cipher_id = SSL3_CK_ID | cipher_value;
        /*
         * Check if we want to resume the session based on external
         * pre-shared secret
@@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s)
                    &s->session->master_key_length, NULL, &pref_cipher,
                    s->tls_session_secret_cb_arg)) {
                        s->session->cipher = pref_cipher ?
-                            pref_cipher : ssl3_get_cipher_by_char(p + j);
+                            pref_cipher : ssl3_get_cipher_by_id(cipher_id);
                        s->s3->flags |= SSL3_FLAGS_CCS_OK;
                }
        }
@@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s)
                        }
                }
                s->session->session_id_length = j;
-                memcpy(s->session->session_id,p,j); /* j could be 0 */
+                memcpy(s->session->session_id, p, j); /* j could be 0 */
        }
        p += j;
-        c = ssl3_get_cipher_by_char(p);
+        c = ssl3_get_cipher_by_id(cipher_id);
        if (c == NULL) {
                /* unknown cipher */
                al = SSL_AD_ILLEGAL_PARAMETER;
@@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s)
                    SSL_R_UNKNOWN_CIPHER_RETURNED);
                goto f_err;
        }
        /* TLS v1.2 only ciphersuites require v1.2 or later */
        if ((c->algorithm_ssl & SSL_TLSV1_2) &&
            (TLS1_get_version(s) < TLS1_2_VERSION)) {
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 1d84effeea..1578f0388d 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
        return (1);
 }
-/* This function needs to check if the ciphers required are actually
- * available */
-const SSL_CIPHER *
-ssl3_get_cipher_by_char(const unsigned char *p)
-{
-        SSL_CIPHER               c;
-        const SSL_CIPHER        *cp;
-        unsigned long            id;
-        id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1];
-        c.id = id;
-        cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
-#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
-        if (cp == NULL)
-                fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]);
-#endif
-        if (cp == NULL || cp->valid == 0)
-                return NULL;
-        else
-                return cp;
-}
 int
 ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 {
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 55ab469df5..e5dedf0ba4 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        const SSL_CIPHER        *c;
        STACK_OF(SSL_CIPHER)    *sk;
        int                      i;
+        unsigned int             cipher_id;
+        uint16_t                 cipher_value;
        if (s->s3)
                s->s3->send_connection_binding = 0;
@@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        }
        for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
+                n2s(p, cipher_value);
+                cipher_id = SSL3_CK_ID | cipher_value;
                /* Check for SCSV */
-                if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+                if (s->s3 && cipher_id == SSL3_CK_SCSV) {
-                    (p[1] == (SSL3_CK_SCSV & 0xff))) {
+                        /* SCSV is fatal if renegotiating. */
-                        /* SCSV fatal if renegotiating */
                        if (s->renegotiate) {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                                    SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
                                goto err;
                        }
                        s->s3->send_connection_binding = 1;
-                        p += SSL3_CIPHER_VALUE_SIZE;
                        continue;
                }
-                c = ssl3_get_cipher_by_char(p);
+                c = ssl3_get_cipher_by_id(cipher_id);
-                p += SSL3_CIPHER_VALUE_SIZE;
                if (c != NULL) {
                        if (!sk_SSL_CIPHER_push(sk, c)) {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        if (skp != NULL)
                *skp = sk;
        return (sk);
 err:
-        if ((skp == NULL) || (*skp == NULL))
+        if (skp == NULL || *skp == NULL)
                sk_SSL_CIPHER_free(sk);
        return (NULL);
 }
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 87b27a1d99..1c823c046a 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -325,6 +325,8 @@
 * make sure to update this constant too */
 #define SSL_MAX_DIGEST 6
+#define SSL3_CK_ID              0x03000000
 #define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
 #define TLS1_PRF_DGST_SHIFT 10
@@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 void ssl_load_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
 void ssl3_init_finished_mac(SSL *s);
 int ssl3_send_server_certificate(SSL *s);
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 55ab469df5..e5dedf0ba4 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        const SSL_CIPHER        *c;
        STACK_OF(SSL_CIPHER)    *sk;
        int                      i;
+        unsigned int             cipher_id;
+        uint16_t                 cipher_value;
        if (s->s3)
                s->s3->send_connection_binding = 0;
@@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        }
        for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
+                n2s(p, cipher_value);
+                cipher_id = SSL3_CK_ID | cipher_value;
                /* Check for SCSV */
-                if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+                if (s->s3 && cipher_id == SSL3_CK_SCSV) {
-                    (p[1] == (SSL3_CK_SCSV & 0xff))) {
+                        /* SCSV is fatal if renegotiating. */
-                        /* SCSV fatal if renegotiating */
                        if (s->renegotiate) {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                                    SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
                                goto err;
                        }
                        s->s3->send_connection_binding = 1;
-                        p += SSL3_CIPHER_VALUE_SIZE;
                        continue;
                }
-                c = ssl3_get_cipher_by_char(p);
+                c = ssl3_get_cipher_by_id(cipher_id);
-                p += SSL3_CIPHER_VALUE_SIZE;
                if (c != NULL) {
                        if (!sk_SSL_CIPHER_push(sk, c)) {
                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
        if (skp != NULL)
                *skp = sk;
        return (sk);
 err:
-        if ((skp == NULL) || (*skp == NULL))
+        if (skp == NULL || *skp == NULL)
                sk_SSL_CIPHER_free(sk);
        return (NULL);
 }
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 87b27a1d99..1c823c046a 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -325,6 +325,8 @@
 * make sure to update this constant too */
 #define SSL_MAX_DIGEST 6
+#define SSL3_CK_ID              0x03000000
 #define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
 #define TLS1_PRF_DGST_SHIFT 10
@@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 void ssl_load_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
 void ssl3_init_finished_mac(SSL *s);
 int ssl3_send_server_certificate(SSL *s);

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 848de8c268..9ccc67acb9 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s)
775	{	775	{
776	STACK_OF(SSL_CIPHER) *sk;	776	STACK_OF(SSL_CIPHER) *sk;
777	const SSL_CIPHER *c;	777	const SSL_CIPHER *c;
778	unsigned char p, d;	778	unsigned char p, q, *d;
779	int i, al, ok;	779	int i, al, ok;
780	unsigned int j;	780	unsigned int j, cipher_id;
		781	uint16_t cipher_value;
781	long n;	782	long n;
782		783
783	n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,	784	n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
@@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s)
830	p += SSL3_RANDOM_SIZE;	831	p += SSL3_RANDOM_SIZE;
831		832
832	/* get the session-id */	833	/* get the session-id */
833	j= *(p++);	834	j = *(p++);
834		835
835	if ((j > sizeof s->session->session_id) \|\|	836	if ((j > sizeof s->session->session_id) \|\|
836	(j > SSL3_SESSION_ID_SIZE)) {	837	(j > SSL3_SESSION_ID_SIZE)) {
@@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s)
843	if (p + j + 2 - d > n)	844	if (p + j + 2 - d > n)
844	goto truncated;	845	goto truncated;
845		846
		847	/* Get the cipher value. */
		848	q = p + j;
		849	n2s(q, cipher_value);
		850	cipher_id = SSL3_CK_ID \| cipher_value;
		851
846	/*	852	/*
847	* Check if we want to resume the session based on external	853	* Check if we want to resume the session based on external
848	* pre-shared secret	854	* pre-shared secret
@@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s)
854	&s->session->master_key_length, NULL, &pref_cipher,	860	&s->session->master_key_length, NULL, &pref_cipher,
855	s->tls_session_secret_cb_arg)) {	861	s->tls_session_secret_cb_arg)) {
856	s->session->cipher = pref_cipher ?	862	s->session->cipher = pref_cipher ?
857	pref_cipher : ssl3_get_cipher_by_char(p + j);	863	pref_cipher : ssl3_get_cipher_by_id(cipher_id);
858	s->s3->flags \|= SSL3_FLAGS_CCS_OK;	864	s->s3->flags \|= SSL3_FLAGS_CCS_OK;
859	}	865	}
860	}	866	}
@@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s)
885	}	891	}
886	}	892	}
887	s->session->session_id_length = j;	893	s->session->session_id_length = j;
888	memcpy(s->session->session_id,p,j); /* j could be 0 */	894	memcpy(s->session->session_id, p, j); /* j could be 0 */
889	}	895	}
890	p += j;	896	p += j;
891	c = ssl3_get_cipher_by_char(p);	897
		898	c = ssl3_get_cipher_by_id(cipher_id);
892	if (c == NULL) {	899	if (c == NULL) {
893	/* unknown cipher */	900	/* unknown cipher */
894	al = SSL_AD_ILLEGAL_PARAMETER;	901	al = SSL_AD_ILLEGAL_PARAMETER;
@@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s)
896	SSL_R_UNKNOWN_CIPHER_RETURNED);	903	SSL_R_UNKNOWN_CIPHER_RETURNED);
897	goto f_err;	904	goto f_err;
898	}	905	}
		906
899	/* TLS v1.2 only ciphersuites require v1.2 or later */	907	/* TLS v1.2 only ciphersuites require v1.2 or later */
900	if ((c->algorithm_ssl & SSL_TLSV1_2) &&	908	if ((c->algorithm_ssl & SSL_TLSV1_2) &&
901	(TLS1_get_version(s) < TLS1_2_VERSION)) {	909	(TLS1_get_version(s) < TLS1_2_VERSION)) {


diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 1d84effeea..1578f0388d 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX ctx, int cmd, void (fp)(void))
2452	return (1);	2452	return (1);
2453	}	2453	}
2454		2454
2455	/* This function needs to check if the ciphers required are actually
2456	* available */
2457	const SSL_CIPHER *
2458	ssl3_get_cipher_by_char(const unsigned char *p)
2459	{
2460	SSL_CIPHER c;
2461	const SSL_CIPHER *cp;
2462	unsigned long id;
2463
2464	id = 0x03000000L \| ((unsigned long)p[0] << 8L) \| (unsigned long)p[1];
2465	c.id = id;
2466	cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
2467	#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
2468	if (cp == NULL)
2469	fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) \| p[1]);
2470	#endif
2471	if (cp == NULL \|\| cp->valid == 0)
2472	return NULL;
2473	else
2474	return cp;
2475	}
2476
2477	int	2455	int
2478	ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p)	2456	ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p)
2479	{	2457	{


diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 848de8c268..9ccc67acb9 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_clnt.c,v 1.87 2014/08/11 01:10:42 jsing Exp $ */	1	/* $OpenBSD: s3_clnt.c,v 1.88 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -775,9 +775,10 @@ ssl3_get_server_hello(SSL *s)
775	{	775	{
776	STACK_OF(SSL_CIPHER) *sk;	776	STACK_OF(SSL_CIPHER) *sk;
777	const SSL_CIPHER *c;	777	const SSL_CIPHER *c;
778	unsigned char p, d;	778	unsigned char p, q, *d;
779	int i, al, ok;	779	int i, al, ok;
780	unsigned int j;	780	unsigned int j, cipher_id;
		781	uint16_t cipher_value;
781	long n;	782	long n;
782		783
783	n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,	784	n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
@@ -830,7 +831,7 @@ ssl3_get_server_hello(SSL *s)
830	p += SSL3_RANDOM_SIZE;	831	p += SSL3_RANDOM_SIZE;
831		832
832	/* get the session-id */	833	/* get the session-id */
833	j= *(p++);	834	j = *(p++);
834		835
835	if ((j > sizeof s->session->session_id) \|\|	836	if ((j > sizeof s->session->session_id) \|\|
836	(j > SSL3_SESSION_ID_SIZE)) {	837	(j > SSL3_SESSION_ID_SIZE)) {
@@ -843,6 +844,11 @@ ssl3_get_server_hello(SSL *s)
843	if (p + j + 2 - d > n)	844	if (p + j + 2 - d > n)
844	goto truncated;	845	goto truncated;
845		846
		847	/* Get the cipher value. */
		848	q = p + j;
		849	n2s(q, cipher_value);
		850	cipher_id = SSL3_CK_ID \| cipher_value;
		851
846	/*	852	/*
847	* Check if we want to resume the session based on external	853	* Check if we want to resume the session based on external
848	* pre-shared secret	854	* pre-shared secret
@@ -854,7 +860,7 @@ ssl3_get_server_hello(SSL *s)
854	&s->session->master_key_length, NULL, &pref_cipher,	860	&s->session->master_key_length, NULL, &pref_cipher,
855	s->tls_session_secret_cb_arg)) {	861	s->tls_session_secret_cb_arg)) {
856	s->session->cipher = pref_cipher ?	862	s->session->cipher = pref_cipher ?
857	pref_cipher : ssl3_get_cipher_by_char(p + j);	863	pref_cipher : ssl3_get_cipher_by_id(cipher_id);
858	s->s3->flags \|= SSL3_FLAGS_CCS_OK;	864	s->s3->flags \|= SSL3_FLAGS_CCS_OK;
859	}	865	}
860	}	866	}
@@ -885,10 +891,11 @@ ssl3_get_server_hello(SSL *s)
885	}	891	}
886	}	892	}
887	s->session->session_id_length = j;	893	s->session->session_id_length = j;
888	memcpy(s->session->session_id,p,j); /* j could be 0 */	894	memcpy(s->session->session_id, p, j); /* j could be 0 */
889	}	895	}
890	p += j;	896	p += j;
891	c = ssl3_get_cipher_by_char(p);	897
		898	c = ssl3_get_cipher_by_id(cipher_id);
892	if (c == NULL) {	899	if (c == NULL) {
893	/* unknown cipher */	900	/* unknown cipher */
894	al = SSL_AD_ILLEGAL_PARAMETER;	901	al = SSL_AD_ILLEGAL_PARAMETER;
@@ -896,6 +903,7 @@ ssl3_get_server_hello(SSL *s)
896	SSL_R_UNKNOWN_CIPHER_RETURNED);	903	SSL_R_UNKNOWN_CIPHER_RETURNED);
897	goto f_err;	904	goto f_err;
898	}	905	}
		906
899	/* TLS v1.2 only ciphersuites require v1.2 or later */	907	/* TLS v1.2 only ciphersuites require v1.2 or later */
900	if ((c->algorithm_ssl & SSL_TLSV1_2) &&	908	if ((c->algorithm_ssl & SSL_TLSV1_2) &&
901	(TLS1_get_version(s) < TLS1_2_VERSION)) {	909	(TLS1_get_version(s) < TLS1_2_VERSION)) {


diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c index 1d84effeea..1578f0388d 100644 --- a/src/lib/libssl/src/ssl/s3_lib.c +++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.76 2014/08/11 01:06:22 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.77 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2452,28 +2452,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX ctx, int cmd, void (fp)(void))
2452	return (1);	2452	return (1);
2453	}	2453	}
2454		2454
2455	/* This function needs to check if the ciphers required are actually
2456	* available */
2457	const SSL_CIPHER *
2458	ssl3_get_cipher_by_char(const unsigned char *p)
2459	{
2460	SSL_CIPHER c;
2461	const SSL_CIPHER *cp;
2462	unsigned long id;
2463
2464	id = 0x03000000L \| ((unsigned long)p[0] << 8L) \| (unsigned long)p[1];
2465	c.id = id;
2466	cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
2467	#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
2468	if (cp == NULL)
2469	fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) \| p[1]);
2470	#endif
2471	if (cp == NULL \|\| cp->valid == 0)
2472	return NULL;
2473	else
2474	return cp;
2475	}
2476
2477	int	2455	int
2478	ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p)	2456	ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p)
2479	{	2457	{


diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 55ab469df5..e5dedf0ba4 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1408	const SSL_CIPHER *c;	1408	const SSL_CIPHER *c;
1409	STACK_OF(SSL_CIPHER) *sk;	1409	STACK_OF(SSL_CIPHER) *sk;
1410	int i;	1410	int i;
		1411	unsigned int cipher_id;
		1412	uint16_t cipher_value;
1411		1413
1412	if (s->s3)	1414	if (s->s3)
1413	s->s3->send_connection_binding = 0;	1415	s->s3->send_connection_binding = 0;
@@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1427	}	1429	}
1428		1430
1429	for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {	1431	for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
		1432	n2s(p, cipher_value);
		1433	cipher_id = SSL3_CK_ID \| cipher_value;
		1434
1430	/* Check for SCSV */	1435	/* Check for SCSV */
1431	if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&	1436	if (s->s3 && cipher_id == SSL3_CK_SCSV) {
1432	(p[1] == (SSL3_CK_SCSV & 0xff))) {	1437	/* SCSV is fatal if renegotiating. */
1433	/* SCSV fatal if renegotiating */
1434	if (s->renegotiate) {	1438	if (s->renegotiate) {
1435	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,	1439	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
1436	SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);	1440	SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1440	goto err;	1444	goto err;
1441	}	1445	}
1442	s->s3->send_connection_binding = 1;	1446	s->s3->send_connection_binding = 1;
1443	p += SSL3_CIPHER_VALUE_SIZE;
1444	continue;	1447	continue;
1445	}	1448	}
1446		1449
1447	c = ssl3_get_cipher_by_char(p);	1450	c = ssl3_get_cipher_by_id(cipher_id);
1448	p += SSL3_CIPHER_VALUE_SIZE;
1449	if (c != NULL) {	1451	if (c != NULL) {
1450	if (!sk_SSL_CIPHER_push(sk, c)) {	1452	if (!sk_SSL_CIPHER_push(sk, c)) {
1451	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,	1453	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1458	if (skp != NULL)	1460	if (skp != NULL)
1459	*skp = sk;	1461	*skp = sk;
1460	return (sk);	1462	return (sk);
		1463
1461	err:	1464	err:
1462	if ((skp == NULL) \|\| (*skp == NULL))	1465	if (skp == NULL \|\| *skp == NULL)
1463	sk_SSL_CIPHER_free(sk);	1466	sk_SSL_CIPHER_free(sk);
1464	return (NULL);	1467	return (NULL);
1465	}	1468	}


diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 87b27a1d99..1c823c046a 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -325,6 +325,8 @@
325	* make sure to update this constant too */	325	* make sure to update this constant too */
326	#define SSL_MAX_DIGEST 6	326	#define SSL_MAX_DIGEST 6
327		327
		328	#define SSL3_CK_ID 0x03000000
		329
328	#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)	330	#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
329		331
330	#define TLS1_PRF_DGST_SHIFT 10	332	#define TLS1_PRF_DGST_SHIFT 10
@@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
594	int ssl_verify_alarm_type(long type);	596	int ssl_verify_alarm_type(long type);
595	void ssl_load_ciphers(void);	597	void ssl_load_ciphers(void);
596		598
597	const SSL_CIPHER ssl3_get_cipher_by_char(const unsigned char p);
598	int ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p);	599	int ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p);
599	void ssl3_init_finished_mac(SSL *s);	600	void ssl3_init_finished_mac(SSL *s);
600	int ssl3_send_server_certificate(SSL *s);	601	int ssl3_send_server_certificate(SSL *s);


diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 55ab469df5..e5dedf0ba4 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.81 2014/08/11 10:46:19 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.82 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1408,6 +1408,8 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1408	const SSL_CIPHER *c;	1408	const SSL_CIPHER *c;
1409	STACK_OF(SSL_CIPHER) *sk;	1409	STACK_OF(SSL_CIPHER) *sk;
1410	int i;	1410	int i;
		1411	unsigned int cipher_id;
		1412	uint16_t cipher_value;
1411		1413
1412	if (s->s3)	1414	if (s->s3)
1413	s->s3->send_connection_binding = 0;	1415	s->s3->send_connection_binding = 0;
@@ -1427,10 +1429,12 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1427	}	1429	}
1428		1430
1429	for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {	1431	for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
		1432	n2s(p, cipher_value);
		1433	cipher_id = SSL3_CK_ID \| cipher_value;
		1434
1430	/* Check for SCSV */	1435	/* Check for SCSV */
1431	if (s->s3 && (p[0] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&	1436	if (s->s3 && cipher_id == SSL3_CK_SCSV) {
1432	(p[1] == (SSL3_CK_SCSV & 0xff))) {	1437	/* SCSV is fatal if renegotiating. */
1433	/* SCSV fatal if renegotiating */
1434	if (s->renegotiate) {	1438	if (s->renegotiate) {
1435	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,	1439	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
1436	SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);	1440	SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1440,12 +1444,10 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1440	goto err;	1444	goto err;
1441	}	1445	}
1442	s->s3->send_connection_binding = 1;	1446	s->s3->send_connection_binding = 1;
1443	p += SSL3_CIPHER_VALUE_SIZE;
1444	continue;	1447	continue;
1445	}	1448	}
1446		1449
1447	c = ssl3_get_cipher_by_char(p);	1450	c = ssl3_get_cipher_by_id(cipher_id);
1448	p += SSL3_CIPHER_VALUE_SIZE;
1449	if (c != NULL) {	1451	if (c != NULL) {
1450	if (!sk_SSL_CIPHER_push(sk, c)) {	1452	if (!sk_SSL_CIPHER_push(sk, c)) {
1451	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,	1453	SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -1458,8 +1460,9 @@ ssl_bytes_to_cipher_list(SSL s, unsigned char p, int num,
1458	if (skp != NULL)	1460	if (skp != NULL)
1459	*skp = sk;	1461	*skp = sk;
1460	return (sk);	1462	return (sk);
		1463
1461	err:	1464	err:
1462	if ((skp == NULL) \|\| (*skp == NULL))	1465	if (skp == NULL \|\| *skp == NULL)
1463	sk_SSL_CIPHER_free(sk);	1466	sk_SSL_CIPHER_free(sk);
1464	return (NULL);	1467	return (NULL);
1465	}	1468	}


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 87b27a1d99..1c823c046a 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.65 2014/08/11 01:06:22 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.66 2014/08/23 14:52:41 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -325,6 +325,8 @@
325	* make sure to update this constant too */	325	* make sure to update this constant too */
326	#define SSL_MAX_DIGEST 6	326	#define SSL_MAX_DIGEST 6
327		327
		328	#define SSL3_CK_ID 0x03000000
		329
328	#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)	330	#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
329		331
330	#define TLS1_PRF_DGST_SHIFT 10	332	#define TLS1_PRF_DGST_SHIFT 10
@@ -594,7 +596,6 @@ STACK_OF(SSL_CIPHER) ssl_get_ciphers_by_id(SSL s);
594	int ssl_verify_alarm_type(long type);	596	int ssl_verify_alarm_type(long type);
595	void ssl_load_ciphers(void);	597	void ssl_load_ciphers(void);
596		598
597	const SSL_CIPHER ssl3_get_cipher_by_char(const unsigned char p);
598	int ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p);	599	int ssl3_put_cipher_by_char(const SSL_CIPHER c, unsigned char p);
599	void ssl3_init_finished_mac(SSL *s);	600	void ssl3_init_finished_mac(SSL *s);
600	int ssl3_send_server_certificate(SSL *s);	601	int ssl3_send_server_certificate(SSL *s);