From 1d8d9c34467baab3746e6f8398a2d4fa5677cb68 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 14 Apr 2014 13:30:33 +0000 Subject: First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5. --- src/lib/libssl/src/ssl/t1_clnt.c | 21 +- src/lib/libssl/src/ssl/t1_enc.c | 1186 +++++++++++----------- src/lib/libssl/src/ssl/t1_lib.c | 2002 +++++++++++++++++-------------------- src/lib/libssl/src/ssl/t1_meth.c | 20 +- src/lib/libssl/src/ssl/t1_reneg.c | 278 +++-- src/lib/libssl/src/ssl/t1_srvr.c | 21 +- src/lib/libssl/t1_clnt.c | 21 +- src/lib/libssl/t1_enc.c | 1186 +++++++++++----------- src/lib/libssl/t1_lib.c | 2002 +++++++++++++++++-------------------- src/lib/libssl/t1_meth.c | 20 +- src/lib/libssl/t1_reneg.c | 278 +++-- src/lib/libssl/t1_srvr.c | 21 +- 12 files changed, 3348 insertions(+), 3708 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/src/ssl/t1_clnt.c b/src/lib/libssl/src/ssl/t1_clnt.c index 578617ed84..ac8ff7309f 100644 --- a/src/lib/libssl/src/ssl/t1_clnt.c +++ b/src/lib/libssl/src/ssl/t1_clnt.c @@ -64,8 +64,10 @@ #include static const SSL_METHOD *tls1_get_client_method(int ver); -static const SSL_METHOD *tls1_get_client_method(int ver) - { + +static const SSL_METHOD +*tls1_get_client_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_client_method(); if (ver == TLS1_1_VERSION) @@ -73,20 +75,13 @@ static const SSL_METHOD *tls1_get_client_method(int ver) if (ver == TLS1_VERSION) return TLSv1_client_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) + ssl_undefined_function, ssl3_connect, tls1_get_client_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) + ssl_undefined_function, ssl3_connect, tls1_get_client_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) - + ssl_undefined_function, ssl3_connect, tls1_get_client_method) diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 0c4cddedf8..e59e883424 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c @@ -149,15 +149,12 @@ #endif /* seed1 through seed5 are virtually concatenated */ -static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, - int sec_len, - const void *seed1, int seed1_len, - const void *seed2, int seed2_len, - const void *seed3, int seed3_len, - const void *seed4, int seed4_len, - const void *seed5, int seed5_len, - unsigned char *out, int olen) - { +static int +tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, + const void *seed1, int seed1_len, const void *seed2, int seed2_len, + const void *seed3, int seed3_len, const void *seed4, int seed4_len, + const void *seed5, int seed5_len, unsigned char *out, int olen) +{ int chunk; size_t j; EVP_MD_CTX ctx, ctx_tmp; @@ -165,8 +162,8 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, unsigned char A1[EVP_MAX_MD_SIZE]; size_t A1_len; int ret = 0; - - chunk=EVP_MD_size(md); + + chunk = EVP_MD_size(md); OPENSSL_assert(chunk >= 0); EVP_MD_CTX_init(&ctx); @@ -176,114 +173,109 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); if (!mac_key) goto err; - if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) + if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) + if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) + if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) + if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) + if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) goto err; - if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) + if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; - for (;;) - { + for (;;) { /* Reinit mac contexts */ - if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) + if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) goto err; - if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) + if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len)) goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) + if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) + if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) + if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) + if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) + if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) goto err; - if (olen > chunk) - { - if (!EVP_DigestSignFinal(&ctx,out,&j)) + if (olen > chunk) { + if (!EVP_DigestSignFinal(&ctx, out, &j)) goto err; - out+=j; - olen-=j; + out += j; + olen -= j; /* calc the next A1 value */ - if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) + if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) goto err; - } + } else /* last one */ - { - if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) + { + if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; - memcpy(out,A1,olen); + memcpy(out, A1, olen); break; - } } + } ret = 1; err: EVP_PKEY_free(mac_key); EVP_MD_CTX_cleanup(&ctx); EVP_MD_CTX_cleanup(&ctx_tmp); - OPENSSL_cleanse(A1,sizeof(A1)); + OPENSSL_cleanse(A1, sizeof(A1)); return ret; - } +} /* seed1 through seed5 are virtually concatenated */ -static int tls1_PRF(long digest_mask, - const void *seed1, int seed1_len, - const void *seed2, int seed2_len, - const void *seed3, int seed3_len, - const void *seed4, int seed4_len, - const void *seed5, int seed5_len, - const unsigned char *sec, int slen, - unsigned char *out1, - unsigned char *out2, int olen) - { - int len,i,idx,count; +static int +tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, + int seed2_len, const void *seed3, int seed3_len, const void *seed4, + int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, + int slen, unsigned char *out1, unsigned char *out2, int olen) +{ + int len, i, idx, count; const unsigned char *S1; long m; const EVP_MD *md; int ret = 0; /* Count number of digests and partition sec evenly */ - count=0; - for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { - if ((m<s3->server_random,SSL3_RANDOM_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - s->session->master_key,s->session->master_key_length, - km,tmp,num); + TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + km, tmp, num); #ifdef KSSL_DEBUG printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", - s->session->master_key_length); + s->session->master_key_length); { - int i; - for (i=0; i < s->session->master_key_length; i++) - { - printf("%02X", s->session->master_key[i]); - } - printf("\n"); } + int i; + for (i = 0; i < s->session->master_key_length; i++) { + printf("%02X", s->session->master_key[i]); + } + printf("\n"); + } #endif /* KSSL_DEBUG */ return ret; - } +} -int tls1_change_cipher_state(SSL *s, int which) - { +int +tls1_change_cipher_state(SSL *s, int which) +{ static const unsigned char empty[]=""; - unsigned char *p,*mac_secret; + unsigned char *p, *mac_secret; unsigned char *exp_label; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; - unsigned char *ms,*key,*iv; + unsigned char *ms, *key, *iv; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -337,36 +331,35 @@ int tls1_change_cipher_state(SSL *s, int which) int *mac_secret_size; EVP_MD_CTX *mac_ctx; EVP_PKEY *mac_key; - int is_export,n,i,j,k,exp_label_len,cl; + int is_export, n, i, j, k, exp_label_len, cl; int reuse_dd = 0; - is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); - c=s->s3->tmp.new_sym_enc; - m=s->s3->tmp.new_hash; + is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + c = s->s3->tmp.new_sym_enc; + m = s->s3->tmp.new_hash; mac_type = s->s3->tmp.new_mac_pkey_type; #ifndef OPENSSL_NO_COMP - comp=s->s3->tmp.new_compression; + comp = s->s3->tmp.new_compression; #endif #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); printf("\talg= %ld/%ld, comp= %p\n", - s->s3->tmp.new_cipher->algorithm_mkey, - s->s3->tmp.new_cipher->algorithm_auth, - comp); + s->s3->tmp.new_cipher->algorithm_mkey, + s->s3->tmp.new_cipher->algorithm_auth, + comp); printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", - c->nid,c->block_size,c->key_len,c->iv_len); + c->nid, c->block_size, c->key_len, c->iv_len); printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); { - int i; - for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); - } + int i; + for (i = 0; i < s->s3->tmp.key_block_length; i++) + printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); + } #endif /* KSSL_DEBUG */ - if (which & SSL3_CC_READ) - { + if (which & SSL3_CC_READ) { if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else @@ -374,303 +367,285 @@ int tls1_change_cipher_state(SSL *s, int which) if (s->enc_read_ctx != NULL) reuse_dd = 1; - else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) + else if ((s->enc_read_ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); - dd= s->enc_read_ctx; - mac_ctx=ssl_replace_hash(&s->read_hash,NULL); + EVP_CIPHER_CTX_init(s->enc_read_ctx); + dd = s->enc_read_ctx; + mac_ctx = ssl_replace_hash(&s->read_hash, NULL); #ifndef OPENSSL_NO_COMP - if (s->expand != NULL) - { + if (s->expand != NULL) { COMP_CTX_free(s->expand); - s->expand=NULL; - } - if (comp != NULL) - { - s->expand=COMP_CTX_new(comp->method); - if (s->expand == NULL) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + s->expand = NULL; + } + if (comp != NULL) { + s->expand = COMP_CTX_new(comp->method); + if (s->expand == NULL) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; - } + } if (s->s3->rrec.comp == NULL) - s->s3->rrec.comp=(unsigned char *) - OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + s->s3->rrec.comp = (unsigned char *) + OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; - } + } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ - if (s->version != DTLS1_VERSION) - memset(&(s->s3->read_sequence[0]),0,8); - mac_secret= &(s->s3->read_mac_secret[0]); - mac_secret_size=&(s->s3->read_mac_secret_size); - } - else - { + if (s->version != DTLS1_VERSION) + memset(&(s->s3->read_sequence[0]), 0, 8); + mac_secret = &(s->s3->read_mac_secret[0]); + mac_secret_size = &(s->s3->read_mac_secret_size); + } else { if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else + else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) reuse_dd = 1; - else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; - dd= s->enc_write_ctx; - if (SSL_IS_DTLS(s)) - { + dd = s->enc_write_ctx; + if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_create(); if (!mac_ctx) goto err; s->write_hash = mac_ctx; - } - else - mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + } else + mac_ctx = ssl_replace_hash(&s->write_hash, NULL); #ifndef OPENSSL_NO_COMP - if (s->compress != NULL) - { + if (s->compress != NULL) { COMP_CTX_free(s->compress); - s->compress=NULL; - } - if (comp != NULL) - { - s->compress=COMP_CTX_new(comp->method); - if (s->compress == NULL) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + s->compress = NULL; + } + if (comp != NULL) { + s->compress = COMP_CTX_new(comp->method); + if (s->compress == NULL) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; - } } + } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ - if (s->version != DTLS1_VERSION) - memset(&(s->s3->write_sequence[0]),0,8); - mac_secret= &(s->s3->write_mac_secret[0]); + if (s->version != DTLS1_VERSION) + memset(&(s->s3->write_sequence[0]), 0, 8); + mac_secret = &(s->s3->write_mac_secret[0]); mac_secret_size = &(s->s3->write_mac_secret_size); - } + } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - p=s->s3->tmp.key_block; - i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; + p = s->s3->tmp.key_block; + i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; - cl=EVP_CIPHER_key_length(c); - j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + cl = EVP_CIPHER_key_length(c); + j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ /* If GCM mode only part of IV comes from PRF */ if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) k = EVP_GCM_TLS_FIXED_IV_LEN; else - k=EVP_CIPHER_iv_length(c); - if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)) - { - ms= &(p[ 0]); n=i+i; - key= &(p[ n]); n+=j+j; - iv= &(p[ n]); n+=k+k; - exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; - exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; - client_write=1; - } - else - { - n=i; - ms= &(p[ n]); n+=i+j; - key= &(p[ n]); n+=j+k; - iv= &(p[ n]); n+=k; - exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; - exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; - client_write=0; - } + k = EVP_CIPHER_iv_length(c); + if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || + (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { + ms = &(p[0]); + n = i + i; + key = &(p[n]); + n += j + j; + iv = &(p[n]); + n += k + k; + exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; + exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; + client_write = 1; + } else { + n = i; + ms = &(p[n]); + n += i + j; + key = &(p[n]); + n += j + k; + iv = &(p[n]); + n += k; + exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; + exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; + client_write = 0; + } - if (n > s->s3->tmp.key_block_length) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); + if (n > s->s3->tmp.key_block_length) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; - } + } - memcpy(mac_secret,ms,i); + memcpy(mac_secret, ms, i); - if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) - { + if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret,*mac_secret_size); - EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); + mac_secret, *mac_secret_size); + EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); EVP_PKEY_free(mac_key); - } + } #ifdef TLS_DEBUG -printf("which = %04X\nmac key=",which); -{ int z; for (z=0; zs3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) - goto err2; - key=tmp1; + exp_label, exp_label_len, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) + goto err2; + key = tmp1; - if (k > 0) - { + if (k > 0) { if (!tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - empty,0,iv1,iv2,k*2)) - goto err2; + TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + empty, 0, iv1, iv2, k*2)) + goto err2; if (client_write) - iv=iv1; + iv = iv1; else - iv= &(iv1[k]); - } + iv = &(iv1[k]); } + } - s->session->key_arg_length=0; + s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { - int i; - printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); - printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]); - printf("\n"); - printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]); - printf("\n"); + int i; + printf("EVP_CipherInit_ex(dd, c, key=, iv=, which)\n"); + printf("\tkey= "); for (i = 0; ikey_len; i++) printf("%02x", key[i]); + printf("\n"); + printf("\t iv= "); for (i = 0; iiv_len; i++) printf("%02x", iv[i]); + printf("\n"); } #endif /* KSSL_DEBUG */ - if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) - { - EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); + if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { + EVP_CipherInit_ex(dd, c, NULL, key, NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); - } - else - EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); + } else + EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) - EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size,mac_secret); + EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, + *mac_secret_size, mac_secret); #ifdef TLS_DEBUG -printf("which = %04X\nkey=",which); -{ int z; for (z=0; zs3->tmp.key_block_length != 0) - return(1); + return (1); - if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp)) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return(0); - } + if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return (0); + } - s->s3->tmp.new_sym_enc=c; - s->s3->tmp.new_hash=hash; + s->s3->tmp.new_sym_enc = c; + s->s3->tmp.new_hash = hash; s->s3->tmp.new_mac_pkey_type = mac_type; s->s3->tmp.new_mac_secret_size = mac_secret_size; - num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); + num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); num*=2; ssl3_cleanup_key_block(s); - if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); + if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; - } + } - s->s3->tmp.key_block_length=num; - s->s3->tmp.key_block=p1; + s->s3->tmp.key_block_length = num; + s->s3->tmp.key_block = p1; - if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); + if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; - } + } #ifdef TLS_DEBUG -printf("client random\n"); -{ int z; for (z=0; zs3->client_random[z],((z+1)%16)?' ':'\n'); } -printf("server random\n"); -{ int z; for (z=0; zs3->server_random[z],((z+1)%16)?' ':'\n'); } -printf("pre-master\n"); -{ int z; for (z=0; zsession->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } + printf("client random\n"); + { int z; for (z = 0; zs3->client_random[z],((z+1)%16)?' ':'\n'); } + printf("server random\n"); + { int z; for (z = 0; zs3->server_random[z],((z+1)%16)?' ':'\n'); } + printf("pre-master\n"); + { int z; for (z = 0; zsession->master_key_length; z++) printf("%02X%c", s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif - if (!tls1_generate_key_block(s,p1,p2,num)) + if (!tls1_generate_key_block(s, p1, p2, num)) goto err; #ifdef TLS_DEBUG -printf("\nkey block\n"); -{ int z; for (z=0; zoptions & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) - && s->method->version <= TLS1_VERSION) - { + && s->method->version <= TLS1_VERSION) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ s->s3->need_empty_fragments = 1; - if (s->session->cipher != NULL) - { + if (s->session->cipher != NULL) { if (s->session->cipher->algorithm_enc == SSL_eNULL) s->s3->need_empty_fragments = 0; - + #ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3->need_empty_fragments = 0; #endif - } } - + } + ret = 1; err: - if (p2) - { - OPENSSL_cleanse(p2,num); + if (p2) { + OPENSSL_cleanse(p2, num); OPENSSL_free(p2); - } - return(ret); } + return (ret); +} /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. * @@ -681,176 +656,161 @@ err: * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, * an internal error occured. */ -int tls1_enc(SSL *s, int send) - { +int +tls1_enc(SSL *s, int send) +{ SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i,j,k,pad=0,ret,mac_size=0; + int bs, i, j, k, pad = 0, ret, mac_size = 0; const EVP_CIPHER *enc; - if (send) - { - if (EVP_MD_CTX_md(s->write_hash)) - { - int n=EVP_MD_CTX_size(s->write_hash); + if (send) { + if (EVP_MD_CTX_md(s->write_hash)) { + int n = EVP_MD_CTX_size(s->write_hash); OPENSSL_assert(n >= 0); - } - ds=s->enc_write_ctx; - rec= &(s->s3->wrec); + } + ds = s->enc_write_ctx; + rec = &(s->s3->wrec); if (s->enc_write_ctx == NULL) - enc=NULL; - else - { + enc = NULL; + else { int ivlen; - enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ if (s->version >= TLS1_1_VERSION && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_iv_length(enc); else ivlen = 0; - if (ivlen > 1) - { - if ( rec->data != rec->input) + if (ivlen > 1) { + if (rec->data != rec->input) /* we can't write into the input stream: * Can this ever happen?? (steve) */ fprintf(stderr, - "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); + "%s:%d: rec->data != rec->input\n", + __FILE__, __LINE__); else if (RAND_bytes(rec->input, ivlen) <= 0) return -1; - } } } - else - { - if (EVP_MD_CTX_md(s->read_hash)) - { - int n=EVP_MD_CTX_size(s->read_hash); + } else { + if (EVP_MD_CTX_md(s->read_hash)) { + int n = EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(n >= 0); - } - ds=s->enc_read_ctx; - rec= &(s->s3->rrec); + } + ds = s->enc_read_ctx; + rec = &(s->s3->rrec); if (s->enc_read_ctx == NULL) - enc=NULL; + enc = NULL; else - enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } + enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + } #ifdef KSSL_DEBUG printf("tls1_enc(%d)\n", send); #endif /* KSSL_DEBUG */ - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) - { - memmove(rec->data,rec->input,rec->length); - rec->input=rec->data; + if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { + memmove(rec->data, rec->input, rec->length); + rec->input = rec->data; ret = 1; - } - else - { - l=rec->length; - bs=EVP_CIPHER_block_size(ds->cipher); - - if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) - { - unsigned char buf[13],*seq; - - seq = send?s->s3->write_sequence:s->s3->read_sequence; - - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) - { - unsigned char dtlsseq[9],*p=dtlsseq; - - s2n(send?s->d1->w_epoch:s->d1->r_epoch,p); - memcpy(p,&seq[2],6); - memcpy(buf,dtlsseq,8); - } - else + } else { + l = rec->length; + bs = EVP_CIPHER_block_size(ds->cipher); + + if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { + unsigned char buf[13], *seq; + + seq = send ? s->s3->write_sequence : s->s3->read_sequence; + + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { + unsigned char dtlsseq[9], *p = dtlsseq; + + s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); + memcpy(p, &seq[2], 6); + memcpy(buf, dtlsseq, 8); + } else { + memcpy(buf, seq, 8); + for (i = 7; + i >= 0; + i--) /* increment */ { - memcpy(buf,seq,8); - for (i=7; i>=0; i--) /* increment */ - { ++seq[i]; - if (seq[i] != 0) break; - } - } + if (seq[i] != 0) + break; - buf[8]=rec->type; - buf[9]=(unsigned char)(s->version>>8); - buf[10]=(unsigned char)(s->version); - buf[11]=rec->length>>8; - buf[12]=rec->length&0xff; - pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf); - if (send) - { - l+=pad; - rec->length+=pad; } } - else if ((bs != 1) && send) - { - i=bs-((int)l%bs); + + buf[8] = rec->type; + buf[9] = (unsigned char)(s->version >> 8); + buf[10] = (unsigned char)(s->version); + buf[11] = rec->length >> 8; + buf[12] = rec->length&0xff; + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + if (send) { + l += pad; + rec->length += pad; + } + } else if ((bs != 1) && send) { + i = bs - ((int)l % bs); /* Add weird padding of upto 256 bytes */ /* we need to add 'i' padding bytes of value j */ - j=i-1; - if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) - { + j = i - 1; + if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) j++; - } - for (k=(int)l; k<(int)(l+i); k++) - rec->input[k]=j; - l+=i; - rec->length+=i; } + for (k = (int)l; k < (int)(l + i); k++) + rec->input[k] = j; + l += i; + rec->length += i; + } #ifdef KSSL_DEBUG { - unsigned long ui; - printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", - ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + unsigned long ui; + printf("EVP_Cipher(ds=%p, rec->data=%p, rec->input=%p, l=%ld) ==>\n", + ds, rec->data, rec->input, l); + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, DES_SCHEDULE_SZ, ds->cipher->iv_len); - printf("\t\tIV: "); - for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); - printf("\n"); - printf("\trec->input="); - for (ui=0; uiinput[ui]); - printf("\n"); + printf("\t\tIV: "); + for (i = 0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); + printf("\n"); + printf("\trec->input="); + for (ui = 0; uiinput[ui]); + printf("\n"); } #endif /* KSSL_DEBUG */ - if (!send) - { - if (l == 0 || l%bs != 0) + if (!send) { + if (l == 0 || l % bs != 0) return 0; - } - - i = EVP_Cipher(ds,rec->data,rec->input,l); + } + + i = EVP_Cipher(ds, rec->data, rec->input, l); if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) - ?(i<0) - :(i==0)) - return -1; /* AEAD can fail to verify MAC */ - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) - { + ?(i < 0) + :(i == 0)) + return -1; /* AEAD can fail to verify MAC */ + if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; - } + } #ifdef KSSL_DEBUG { - unsigned long i; - printf("\trec->data="); - for (i=0; idata[i]); printf("\n"); + unsigned long i; + printf("\trec->data="); + for (i = 0; i < l; i++) + printf(" %02x", rec->data[i]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -861,97 +821,93 @@ int tls1_enc(SSL *s, int send) ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); if (pad && !send) rec->length -= pad; - } - return ret; } + return ret; +} -int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) - { +int +tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) +{ unsigned int ret; - EVP_MD_CTX ctx, *d=NULL; + EVP_MD_CTX ctx, *d = NULL; int i; - if (s->s3->handshake_buffer) + if (s->s3->handshake_buffer) if (!ssl3_digest_cached_records(s)) return 0; - for (i=0;is3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) - { - d=s->s3->handshake_dgst[i]; + for (i = 0; i < SSL_MAX_DIGEST; i++) { + if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { + d = s->s3->handshake_dgst[i]; break; - } } + } if (!d) { - SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); + SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST); return 0; - } + } EVP_MD_CTX_init(&ctx); - EVP_MD_CTX_copy_ex(&ctx,d); - EVP_DigestFinal_ex(&ctx,out,&ret); + EVP_MD_CTX_copy_ex(&ctx, d); + EVP_DigestFinal_ex(&ctx, out, &ret); EVP_MD_CTX_cleanup(&ctx); - return((int)ret); - } + return ((int)ret); +} -int tls1_final_finish_mac(SSL *s, - const char *str, int slen, unsigned char *out) - { +int +tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) +{ unsigned int i; EVP_MD_CTX ctx; unsigned char buf[2*EVP_MAX_MD_SIZE]; - unsigned char *q,buf2[12]; + unsigned char *q, buf2[12]; int idx; long mask; - int err=0; - const EVP_MD *md; + int err = 0; + const EVP_MD *md; + - q=buf; + q = buf; - if (s->s3->handshake_buffer) + if (s->s3->handshake_buffer) if (!ssl3_digest_cached_records(s)) return 0; EVP_MD_CTX_init(&ctx); - for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) - { - if (mask & ssl_get_algorithm2(s)) - { + for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { + if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) - { + if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; - } - else - { + } else { if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || - !EVP_DigestFinal_ex(&ctx,q,&i) || - (i != (unsigned int)hashsize)) - err = 1; - q+=hashsize; - } + !EVP_DigestFinal_ex(&ctx, q, &i) || + (i != (unsigned int)hashsize)) + err = 1; + q += hashsize; } } - + } + if (!tls1_PRF(ssl_get_algorithm2(s), - str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, - s->session->master_key,s->session->master_key_length, - out,buf2,sizeof buf2)) - err = 1; + str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buf2, sizeof buf2)) + err = 1; EVP_MD_CTX_cleanup(&ctx); if (err) return 0; else return sizeof buf2; - } +} -int tls1_mac(SSL *ssl, unsigned char *md, int send) - { +int +tls1_mac(SSL *ssl, unsigned char *md, int send) +{ SSL3_RECORD *rec; unsigned char *seq; EVP_MD_CTX *hash; @@ -959,152 +915,141 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) int i; EVP_MD_CTX hmac, *mac_ctx; unsigned char header[13]; - int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); + int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : (ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); int t; - if (send) - { - rec= &(ssl->s3->wrec); - seq= &(ssl->s3->write_sequence[0]); - hash=ssl->write_hash; - } - else - { - rec= &(ssl->s3->rrec); - seq= &(ssl->s3->read_sequence[0]); - hash=ssl->read_hash; - } + if (send) { + rec = &(ssl->s3->wrec); + seq = &(ssl->s3->write_sequence[0]); + hash = ssl->write_hash; + } else { + rec = &(ssl->s3->rrec); + seq = &(ssl->s3->read_sequence[0]); + hash = ssl->read_hash; + } - t=EVP_MD_CTX_size(hash); + t = EVP_MD_CTX_size(hash); OPENSSL_assert(t >= 0); - md_size=t; + md_size = t; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) - { - mac_ctx = hash; - } - else - { - if (!EVP_MD_CTX_copy(&hmac,hash)) - return -1; - mac_ctx = &hmac; - } + if (stream_mac) { + mac_ctx = hash; + } else { + if (!EVP_MD_CTX_copy(&hmac, hash)) + return -1; + mac_ctx = &hmac; + } - if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) - { - unsigned char dtlsseq[8],*p=dtlsseq; + if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) { + unsigned char dtlsseq[8], *p = dtlsseq; - s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); - memcpy (p,&seq[2],6); + s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); + memcpy (p, &seq[2], 6); memcpy(header, dtlsseq, 8); - } - else + } else memcpy(header, seq, 8); /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ - orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); rec->type &= 0xff; - header[8]=rec->type; - header[9]=(unsigned char)(ssl->version>>8); - header[10]=(unsigned char)(ssl->version); - header[11]=(rec->length)>>8; - header[12]=(rec->length)&0xff; + header[8] = rec->type; + header[9] = (unsigned char)(ssl->version >> 8); + header[10] = (unsigned char)(ssl->version); + header[11] = (rec->length) >> 8; + header[12] = (rec->length)&0xff; if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) - { + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(mac_ctx)) { /* This is a CBC-encrypted record. We must avoid leaking any * timing-side channel information about how many blocks of * data we are hashing because that gives an attacker a * timing-oracle. */ ssl3_cbc_digest_record( - mac_ctx, - md, &md_size, - header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */); - } - else - { - EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); - EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); - t=EVP_DigestSignFinal(mac_ctx,md,&md_size); + mac_ctx, + md, &md_size, + header, rec->input, + rec->length + md_size, orig_len, + ssl->s3->read_mac_secret, + ssl->s3->read_mac_secret_size, + 0 /* not SSLv3 */); + } else { + EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); + EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); + t = EVP_DigestSignFinal(mac_ctx, md, &md_size); OPENSSL_assert(t > 0); #ifdef OPENSSL_FIPS if (!send && FIPS_mode()) tls_fips_digest_extra( - ssl->enc_read_ctx, - mac_ctx, rec->input, - rec->length, orig_len); + ssl->enc_read_ctx, + mac_ctx, rec->input, + rec->length, orig_len); #endif - } - + } + if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); #ifdef TLS_DEBUG -printf("sec="); -{unsigned int z; for (z=0; zversion != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) - { - for (i=7; i>=0; i--) - { + if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) { + for (i = 7; i >= 0; i--) { ++seq[i]; - if (seq[i] != 0) break; - } + if (seq[i] != 0) + break; + } + } #ifdef TLS_DEBUG -{unsigned int z; for (z=0; zs3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL && s->s3->client_opaque_prf_input_len > 0 && - s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) { co = s->s3->client_opaque_prf_input; col = s->s3->server_opaque_prf_input_len; so = s->s3->server_opaque_prf_input; sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ - } + } #endif tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - co, col, - s->s3->server_random,SSL3_RANDOM_SIZE, - so, sol, - p,len, - s->session->master_key,buff,sizeof buff); + TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + co, col, + s->s3->server_random, SSL3_RANDOM_SIZE, + so, sol, + p, len, + s->session->master_key, buff, sizeof buff); #ifdef SSL_DEBUG fprintf(stderr, "Premaster Secret:\n"); BIO_dump_fp(stderr, (char *)p, len); @@ -1119,13 +1064,14 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, #ifdef KSSL_DEBUG printf ("tls1_generate_master_secret() complete\n"); #endif /* KSSL_DEBUG */ - return(SSL3_MASTER_SECRET_SIZE); - } + return (SSL3_MASTER_SECRET_SIZE); +} -int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *context, - size_t contextlen, int use_context) - { +int +tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, const unsigned char *context, + size_t contextlen, int use_context) +{ unsigned char *buff; unsigned char *val = NULL; size_t vallen, currentvalpos; @@ -1136,7 +1082,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, #endif /* KSSL_DEBUG */ buff = OPENSSL_malloc(olen); - if (buff == NULL) goto err2; + if (buff == NULL) + goto err2; /* construct PRF arguments * we construct the PRF argument ourself rather than passing separate @@ -1144,13 +1091,13 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * does not create a prohibited label. */ vallen = llen + SSL3_RANDOM_SIZE * 2; - if (use_context) - { + if (use_context) { vallen += 2 + contextlen; - } + } val = OPENSSL_malloc(vallen); - if (val == NULL) goto err2; + if (val == NULL) + goto err2; currentvalpos = 0; memcpy(val + currentvalpos, (unsigned char *) label, llen); currentvalpos += llen; @@ -1159,17 +1106,15 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); currentvalpos += SSL3_RANDOM_SIZE; - if (use_context) - { + if (use_context) { val[currentvalpos] = (contextlen >> 8) & 0xff; currentvalpos++; val[currentvalpos] = contextlen & 0xff; currentvalpos++; - if ((contextlen > 0) || (context != NULL)) - { + if ((contextlen > 0) || (context != NULL)) { memcpy(val + currentvalpos, context, contextlen); - } } + } /* disallow prohibited labels * note that SSL3_RANDOM_SIZE > max(prohibited label len) = @@ -1177,22 +1122,22 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * comparisons won't have buffer overflow */ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; + TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - val, vallen, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - s->session->master_key,s->session->master_key_length, - out,buff,olen); + val, vallen, + NULL, 0, + NULL, 0, + NULL, 0, + NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buff, olen); #ifdef KSSL_DEBUG printf ("tls1_export_keying_material() complete\n"); @@ -1206,49 +1151,82 @@ err2: SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); rv = 0; ret: - if (buff != NULL) OPENSSL_free(buff); - if (val != NULL) OPENSSL_free(val); - return(rv); - } + if (buff != NULL) + OPENSSL_free(buff); + if (val != NULL) + OPENSSL_free(val); + return (rv); +} -int tls1_alert_code(int code) - { - switch (code) - { - case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); - case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); - case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); - case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); - case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); - case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); - case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_NO_CERTIFICATE: return(-1); - case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); - case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); - case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); - case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); - case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); - case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); - case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); - case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); - case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); - case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); - case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); - case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); - case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); - case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); - case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); - case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); - case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION); - case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE); - case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); +int +tls1_alert_code(int code) +{ + switch (code) { + case SSL_AD_CLOSE_NOTIFY: + return (SSL3_AD_CLOSE_NOTIFY); + case SSL_AD_UNEXPECTED_MESSAGE: + return (SSL3_AD_UNEXPECTED_MESSAGE); + case SSL_AD_BAD_RECORD_MAC: + return (SSL3_AD_BAD_RECORD_MAC); + case SSL_AD_DECRYPTION_FAILED: + return (TLS1_AD_DECRYPTION_FAILED); + case SSL_AD_RECORD_OVERFLOW: + return (TLS1_AD_RECORD_OVERFLOW); + case SSL_AD_DECOMPRESSION_FAILURE: + return (SSL3_AD_DECOMPRESSION_FAILURE); + case SSL_AD_HANDSHAKE_FAILURE: + return (SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_NO_CERTIFICATE: + return (-1); + case SSL_AD_BAD_CERTIFICATE: + return (SSL3_AD_BAD_CERTIFICATE); + case SSL_AD_UNSUPPORTED_CERTIFICATE: + return (SSL3_AD_UNSUPPORTED_CERTIFICATE); + case SSL_AD_CERTIFICATE_REVOKED: + return (SSL3_AD_CERTIFICATE_REVOKED); + case SSL_AD_CERTIFICATE_EXPIRED: + return (SSL3_AD_CERTIFICATE_EXPIRED); + case SSL_AD_CERTIFICATE_UNKNOWN: + return (SSL3_AD_CERTIFICATE_UNKNOWN); + case SSL_AD_ILLEGAL_PARAMETER: + return (SSL3_AD_ILLEGAL_PARAMETER); + case SSL_AD_UNKNOWN_CA: + return (TLS1_AD_UNKNOWN_CA); + case SSL_AD_ACCESS_DENIED: + return (TLS1_AD_ACCESS_DENIED); + case SSL_AD_DECODE_ERROR: + return (TLS1_AD_DECODE_ERROR); + case SSL_AD_DECRYPT_ERROR: + return (TLS1_AD_DECRYPT_ERROR); + case SSL_AD_EXPORT_RESTRICTION: + return (TLS1_AD_EXPORT_RESTRICTION); + case SSL_AD_PROTOCOL_VERSION: + return (TLS1_AD_PROTOCOL_VERSION); + case SSL_AD_INSUFFICIENT_SECURITY: + return (TLS1_AD_INSUFFICIENT_SECURITY); + case SSL_AD_INTERNAL_ERROR: + return (TLS1_AD_INTERNAL_ERROR); + case SSL_AD_USER_CANCELLED: + return (TLS1_AD_USER_CANCELLED); + case SSL_AD_NO_RENEGOTIATION: + return (TLS1_AD_NO_RENEGOTIATION); + case SSL_AD_UNSUPPORTED_EXTENSION: + return (TLS1_AD_UNSUPPORTED_EXTENSION); + case SSL_AD_CERTIFICATE_UNOBTAINABLE: + return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); + case SSL_AD_UNRECOGNIZED_NAME: + return (TLS1_AD_UNRECOGNIZED_NAME); + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: + return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); + case SSL_AD_UNKNOWN_PSK_IDENTITY: + return (TLS1_AD_UNKNOWN_PSK_IDENTITY); #if 0 /* not appropriate for TLS, not used for DTLS */ - case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return - (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); + case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return + (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); #endif - default: return(-1); - } + default: + return (-1); } +} diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index bddffd92cc..08f7a444ad 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c @@ -120,12 +120,13 @@ const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; #ifndef OPENSSL_NO_TLSEXT -static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess); +static int +tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, + const unsigned char *sess_id, int sesslen, + SSL_SESSION **psess); #endif -SSL3_ENC_METHOD TLSv1_enc_data={ +SSL3_ENC_METHOD TLSv1_enc_data = { tls1_enc, tls1_mac, tls1_setup_key_block, @@ -134,171 +135,173 @@ SSL3_ENC_METHOD TLSv1_enc_data={ tls1_final_finish_mac, TLS1_FINISH_MAC_LENGTH, tls1_cert_verify_mac, - TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, - TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, - }; +}; -long tls1_default_timeout(void) - { +long +tls1_default_timeout(void) +{ /* 2 hours, the 24 hours mentioned in the TLSv1 spec * is way too long for http, the cache would over fill */ - return(60*60*2); - } + return (60*60*2); +} -int tls1_new(SSL *s) - { - if (!ssl3_new(s)) return(0); - s->method->ssl_clear(s); - return(1); - } +int +tls1_new(SSL *s) +{ + if (!ssl3_new(s)) return (0); + s->method->ssl_clear(s); + return (1); +} -void tls1_free(SSL *s) - { +void +tls1_free(SSL *s) +{ #ifndef OPENSSL_NO_TLSEXT - if (s->tlsext_session_ticket) - { + if (s->tlsext_session_ticket) { OPENSSL_free(s->tlsext_session_ticket); - } + } #endif /* OPENSSL_NO_TLSEXT */ ssl3_free(s); - } +} -void tls1_clear(SSL *s) - { +void +tls1_clear(SSL *s) +{ ssl3_clear(s); s->version = s->method->version; - } +} #ifndef OPENSSL_NO_EC -static int nid_list[] = - { - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1 /* secp521r1 (25) */ - }; +static int nid_list[] = { + NID_sect163k1, /* sect163k1 (1) */ + NID_sect163r1, /* sect163r1 (2) */ + NID_sect163r2, /* sect163r2 (3) */ + NID_sect193r1, /* sect193r1 (4) */ + NID_sect193r2, /* sect193r2 (5) */ + NID_sect233k1, /* sect233k1 (6) */ + NID_sect233r1, /* sect233r1 (7) */ + NID_sect239k1, /* sect239k1 (8) */ + NID_sect283k1, /* sect283k1 (9) */ + NID_sect283r1, /* sect283r1 (10) */ + NID_sect409k1, /* sect409k1 (11) */ + NID_sect409r1, /* sect409r1 (12) */ + NID_sect571k1, /* sect571k1 (13) */ + NID_sect571r1, /* sect571r1 (14) */ + NID_secp160k1, /* secp160k1 (15) */ + NID_secp160r1, /* secp160r1 (16) */ + NID_secp160r2, /* secp160r2 (17) */ + NID_secp192k1, /* secp192k1 (18) */ + NID_X9_62_prime192v1, /* secp192r1 (19) */ + NID_secp224k1, /* secp224k1 (20) */ + NID_secp224r1, /* secp224r1 (21) */ + NID_secp256k1, /* secp256k1 (22) */ + NID_X9_62_prime256v1, /* secp256r1 (23) */ + NID_secp384r1, /* secp384r1 (24) */ + NID_secp521r1 /* secp521r1 (25) */ +}; -static int pref_list[] = - { - NID_sect571r1, /* sect571r1 (14) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_secp521r1, /* secp521r1 (25) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - }; +static int pref_list[] = { + NID_sect571r1, /* sect571r1 (14) */ + NID_sect571k1, /* sect571k1 (13) */ + NID_secp521r1, /* secp521r1 (25) */ + NID_sect409k1, /* sect409k1 (11) */ + NID_sect409r1, /* sect409r1 (12) */ + NID_secp384r1, /* secp384r1 (24) */ + NID_sect283k1, /* sect283k1 (9) */ + NID_sect283r1, /* sect283r1 (10) */ + NID_secp256k1, /* secp256k1 (22) */ + NID_X9_62_prime256v1, /* secp256r1 (23) */ + NID_sect239k1, /* sect239k1 (8) */ + NID_sect233k1, /* sect233k1 (6) */ + NID_sect233r1, /* sect233r1 (7) */ + NID_secp224k1, /* secp224k1 (20) */ + NID_secp224r1, /* secp224r1 (21) */ + NID_sect193r1, /* sect193r1 (4) */ + NID_sect193r2, /* sect193r2 (5) */ + NID_secp192k1, /* secp192k1 (18) */ + NID_X9_62_prime192v1, /* secp192r1 (19) */ + NID_sect163k1, /* sect163k1 (1) */ + NID_sect163r1, /* sect163r1 (2) */ + NID_sect163r2, /* sect163r2 (3) */ + NID_secp160k1, /* secp160k1 (15) */ + NID_secp160r1, /* secp160r1 (16) */ + NID_secp160r2, /* secp160r2 (17) */ +}; -int tls1_ec_curve_id2nid(int curve_id) - { +int +tls1_ec_curve_id2nid(int curve_id) +{ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ if ((curve_id < 1) || ((unsigned int)curve_id > - sizeof(nid_list)/sizeof(nid_list[0]))) + sizeof(nid_list)/sizeof(nid_list[0]))) return 0; - return nid_list[curve_id-1]; - } + return nid_list[curve_id - 1]; +} -int tls1_ec_nid2curve_id(int nid) - { +int +tls1_ec_nid2curve_id(int nid) +{ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - switch (nid) - { + switch (nid) { case NID_sect163k1: /* sect163k1 (1) */ return 1; case NID_sect163r1: /* sect163r1 (2) */ return 2; case NID_sect163r2: /* sect163r2 (3) */ return 3; - case NID_sect193r1: /* sect193r1 (4) */ + case NID_sect193r1: /* sect193r1 (4) */ return 4; - case NID_sect193r2: /* sect193r2 (5) */ + case NID_sect193r2: /* sect193r2 (5) */ return 5; case NID_sect233k1: /* sect233k1 (6) */ return 6; - case NID_sect233r1: /* sect233r1 (7) */ + case NID_sect233r1: /* sect233r1 (7) */ return 7; - case NID_sect239k1: /* sect239k1 (8) */ + case NID_sect239k1: /* sect239k1 (8) */ return 8; case NID_sect283k1: /* sect283k1 (9) */ return 9; - case NID_sect283r1: /* sect283r1 (10) */ + case NID_sect283r1: /* sect283r1 (10) */ return 10; - case NID_sect409k1: /* sect409k1 (11) */ + case NID_sect409k1: /* sect409k1 (11) */ return 11; case NID_sect409r1: /* sect409r1 (12) */ return 12; - case NID_sect571k1: /* sect571k1 (13) */ + case NID_sect571k1: /* sect571k1 (13) */ return 13; - case NID_sect571r1: /* sect571r1 (14) */ + case NID_sect571r1: /* sect571r1 (14) */ return 14; case NID_secp160k1: /* secp160k1 (15) */ return 15; - case NID_secp160r1: /* secp160r1 (16) */ + case NID_secp160r1: /* secp160r1 (16) */ return 16; - case NID_secp160r2: /* secp160r2 (17) */ + case NID_secp160r2: /* secp160r2 (17) */ return 17; case NID_secp192k1: /* secp192k1 (18) */ return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ + case NID_X9_62_prime192v1: /* secp192r1 (19) */ return 19; - case NID_secp224k1: /* secp224k1 (20) */ + case NID_secp224k1: /* secp224k1 (20) */ return 20; case NID_secp224r1: /* secp224r1 (21) */ return 21; - case NID_secp256k1: /* secp256k1 (22) */ + case NID_secp256k1: /* secp256k1 (22) */ return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ + case NID_X9_62_prime256v1: /* secp256r1 (23) */ return 23; case NID_secp384r1: /* secp384r1 (24) */ return 24; - case NID_secp521r1: /* secp521r1 (25) */ + case NID_secp521r1: /* secp521r1 (25) */ return 25; default: return 0; - } } +} #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT @@ -344,33 +347,35 @@ static unsigned char tls12_sigalgs[] = { #endif }; -int tls12_get_req_sig_algs(SSL *s, unsigned char *p) - { +int +tls12_get_req_sig_algs(SSL *s, unsigned char *p) +{ size_t slen = sizeof(tls12_sigalgs); if (p) memcpy(p, tls12_sigalgs, slen); return (int)slen; - } +} -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) - { - int extdatalen=0; +unsigned char +*ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +{ + int extdatalen = 0; unsigned char *ret = p; /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION - && !s->s3->send_connection_binding) - return p; + && !s->s3->send_connection_binding) + return p; - ret+=2; + ret += 2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->tlsext_hostname != NULL) - { + if (s->tlsext_hostname != NULL) { /* Add TLS extension servername to the Client Hello message */ unsigned long size_str; - long lenmax; + long lenmax; + /* check for enough space. 4 for the servername type and entension length @@ -379,114 +384,117 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 2 for hostname length + hostname length */ - - if ((lenmax = limit - ret - 9) < 0 - || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) - return NULL; - + + if ((lenmax = limit - ret - 9) < 0 + || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) + return NULL; + /* extension type and length */ - s2n(TLSEXT_TYPE_server_name,ret); - s2n(size_str+5,ret); - + s2n(TLSEXT_TYPE_server_name, ret); + + s2n(size_str + 5, ret); + /* length of servername list */ - s2n(size_str+3,ret); - + s2n(size_str + 3, ret); + /* hostname type, length and hostname */ *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; - s2n(size_str,ret); + s2n(size_str, ret); memcpy(ret, s->tlsext_hostname, size_str); - ret+=size_str; + ret += size_str; + } + + /* Add RI if renegotiating */ + if (s->renegotiate) { + int el; + + if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; } - /* Add RI if renegotiating */ - if (s->renegotiate) - { - int el; - - if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if((limit - p - 4 - el) < 0) return NULL; - - s2n(TLSEXT_TYPE_renegotiate,ret); - s2n(el,ret); - - if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } + if ((limit - p - 4 - el) + < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate, ret); + s2n(el, ret); + + if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + ret += el; + } #ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ if (s->srp_ctx.login != NULL) - { /* Add TLS extension SRP username to the Client Hello message */ + { /* Add TLS extension SRP username to the Client Hello message */ - int login_len = strlen(s->srp_ctx.login); - if (login_len > 255 || login_len == 0) - { + int login_len = strlen(s->srp_ctx.login); + + if (login_len > 255 || login_len == 0) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } + } /* check for enough space. 4 for the srp type type and entension length 1 for the srp user identity + srp user identity length */ - if ((limit - ret - 5 - login_len) < 0) return NULL; + if ((limit - ret - 5 - login_len) + < 0) return NULL; + /* fill in the extension */ - s2n(TLSEXT_TYPE_srp,ret); - s2n(login_len+1,ret); + s2n(TLSEXT_TYPE_srp, ret); + s2n(login_len + 1, ret); (*ret++) = (unsigned char) login_len; memcpy(ret, s->srp_ctx.login, login_len); - ret+=login_len; - } + ret += login_len; + } #endif #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ClientHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 5) + < 0) return NULL; - if ((lenmax = limit - ret - 5) < 0) return NULL; if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) - { + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); + } + + s2n(TLSEXT_TYPE_ec_point_formats, ret); + s2n(s->tlsext_ecpointformatlist_length + 1, ret); *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; - } + ret += s->tlsext_ecpointformatlist_length; + } if (s->tlsext_ellipticcurvelist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension EllipticCurves to the ClientHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 6) + < 0) return NULL; - if ((lenmax = limit - ret - 6) < 0) return NULL; if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ellipticcurvelist_length > 65532) - { + if (s->tlsext_ellipticcurvelist_length > 65532) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_elliptic_curves,ret); + } + + s2n(TLSEXT_TYPE_elliptic_curves, ret); s2n(s->tlsext_ellipticcurvelist_length + 2, ret); /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for @@ -496,111 +504,103 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha */ s2n(s->tlsext_ellipticcurvelist_length, ret); memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); - ret+=s->tlsext_ellipticcurvelist_length; - } + ret += s->tlsext_ellipticcurvelist_length; + } #endif /* OPENSSL_NO_EC */ - if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) - { + if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) - { + s->tlsext_session_ticket->data) { ticklen = s->tlsext_session_ticket->length; s->session->tlsext_tick = OPENSSL_malloc(ticklen); if (!s->session->tlsext_tick) return NULL; memcpy(s->session->tlsext_tick, - s->tlsext_session_ticket->data, - ticklen); + s->tlsext_session_ticket->data, + ticklen); s->session->tlsext_ticklen = ticklen; - } - else + } else ticklen = 0; if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket,ret); - s2n(ticklen,ret); - if (ticklen) - { + s2n(TLSEXT_TYPE_session_ticket, ret); + + s2n(ticklen, ret); + if (ticklen) { memcpy(ret, s->session->tlsext_tick, ticklen); ret += ticklen; - } } - skip_ext: + } + skip_ext: - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) - { + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) - return NULL; - s2n(TLSEXT_TYPE_signature_algorithms,ret); + return NULL; + + s2n(TLSEXT_TYPE_signature_algorithms, ret); s2n(sizeof(tls12_sigalgs) + 2, ret); s2n(sizeof(tls12_sigalgs), ret); memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); ret += sizeof(tls12_sigalgs); - } + } #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->client_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { size_t col = s->s3->client_opaque_prf_input_len; - + if ((long)(limit - ret - 6 - col < 0)) return NULL; if (col > 0xFFFD) /* can't happen */ return NULL; - s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(col + 2, ret); s2n(col, ret); memcpy(ret, s->s3->client_opaque_prf_input, col); ret += col; - } + } #endif if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { int i; long extlen, idlen, itmp; OCSP_RESPID *id; idlen = 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) - { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); itmp = i2d_OCSP_RESPID(id, NULL); if (itmp <= 0) return NULL; idlen += itmp + 2; - } + } - if (s->tlsext_ocsp_exts) - { + if (s->tlsext_ocsp_exts) { extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); if (extlen < 0) return NULL; - } - else + } else extlen = 0; - + if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request, ret); + s2n(TLSEXT_TYPE_status_request, ret); if (extlen + idlen > 0xFFF0) return NULL; s2n(extlen + idlen + 5, ret); *(ret++) = TLSEXT_STATUSTYPE_ocsp; s2n(idlen, ret); - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) - { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { /* save position of id len */ unsigned char *q = ret; id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); @@ -609,16 +609,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha itmp = i2d_OCSP_RESPID(id, &ret); /* write id len */ s2n(itmp, q); - } + } s2n(extlen, ret); if (extlen > 0) i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); - } + } #ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension */ - s2n(TLSEXT_TYPE_heartbeat,ret); - s2n(1,ret); + s2n(TLSEXT_TYPE_heartbeat, ret); + s2n(1, ret); /* Set mode: * 1: peer may send requests * 2: peer not allowed to send requests @@ -630,36 +630,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha #endif #ifndef OPENSSL_NO_NEXTPROTONEG - if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) - { + if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* The client advertises an emtpy extension to indicate its * support for Next Protocol Negotiation */ if (limit - ret - 4 < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg,ret); - s2n(0,ret); - } + s2n(TLSEXT_TYPE_next_proto_neg, ret); + s2n(0, ret); + } #endif #ifndef OPENSSL_NO_SRTP - if(SSL_get_srtp_profiles(s)) - { - int el; + if (SSL_get_srtp_profiles(s)) { + int el; + + ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - - if((limit - p - 4 - el) < 0) return NULL; + if ((limit - p - 4 - el) + < 0) return NULL; - s2n(TLSEXT_TYPE_use_srtp,ret); - s2n(el,ret); + s2n(TLSEXT_TYPE_use_srtp, ret); + s2n(el, ret); - if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) - { + if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - ret += el; - } + } + ret += el; + } #endif #ifdef TLSEXT_TYPE_padding @@ -670,38 +668,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha * extensions it MUST always appear last. */ { - int hlen = ret - (unsigned char *)s->init_buf->data; + int hlen = ret - (unsigned char *)s->init_buf->data; /* The code in s23_clnt.c to build ClientHello messages includes the * 5-byte record header in the buffer, while the code in s3_clnt.c does * not. */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) - { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; } } #endif - if ((extdatalen = ret-p-2)== 0) + if ((extdatalen = ret - p - 2) == 0) return p; - s2n(extdatalen,p); + s2n(extdatalen, p); return ret; - } +} -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) - { - int extdatalen=0; +unsigned char +*ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +{ + int extdatalen = 0; unsigned char *ret = p; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; @@ -710,143 +708,141 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) return p; - - ret+=2; + + ret += 2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) - { - if ((long)(limit - ret - 4) < 0) return NULL; + if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { + if ((long)(limit - ret - 4) < 0) return NULL; + + + s2n(TLSEXT_TYPE_server_name, ret); + s2n(0, ret); + } - s2n(TLSEXT_TYPE_server_name,ret); - s2n(0,ret); + if (s->s3->send_connection_binding) { + int el; + + if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + if ((limit - p - 4 - el) + < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate, ret); + s2n(el, ret); + + if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; } - if(s->s3->send_connection_binding) - { - int el; - - if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if((limit - p - 4 - el) < 0) return NULL; - - s2n(TLSEXT_TYPE_renegotiate,ret); - s2n(el,ret); - - if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } + ret += el; + } #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ServerHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 5) + < 0) return NULL; - if ((lenmax = limit - ret - 5) < 0) return NULL; if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) - { + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); + } + + s2n(TLSEXT_TYPE_ec_point_formats, ret); + s2n(s->tlsext_ecpointformatlist_length + 1, ret); *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; + ret += s->tlsext_ecpointformatlist_length; - } + } /* Currently the server should not respond with a SupportedCurves extension */ #endif /* OPENSSL_NO_EC */ if (s->tlsext_ticket_expected - && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) - { - if ((long)(limit - ret - 4) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket,ret); - s2n(0,ret); - } + && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { + if ((long)(limit - ret - 4) < 0) return NULL; - if (s->tlsext_status_expected) - { - if ((long)(limit - ret - 4) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request,ret); - s2n(0,ret); - } + s2n(TLSEXT_TYPE_session_ticket, ret); + s2n(0, ret); + } + + if (s->tlsext_status_expected) { + if ((long)(limit - ret - 4) < 0) return NULL; + + s2n(TLSEXT_TYPE_status_request, ret); + s2n(0, ret); + } #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->server_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { size_t sol = s->s3->server_opaque_prf_input_len; - + if ((long)(limit - ret - 6 - sol) < 0) return NULL; if (sol > 0xFFFD) /* can't happen */ return NULL; - s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(sol + 2, ret); s2n(sol, ret); memcpy(ret, s->s3->server_opaque_prf_input, sol); ret += sol; - } + } #endif #ifndef OPENSSL_NO_SRTP - if(s->srtp_profile) - { - int el; + if (s->srtp_profile) { + int el; - ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - - if((limit - p - 4 - el) < 0) return NULL; + ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - s2n(TLSEXT_TYPE_use_srtp,ret); - s2n(el,ret); + if ((limit - p - 4 - el) < 0) + return NULL; + + s2n(TLSEXT_TYPE_use_srtp, ret); + s2n(el, ret); - if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) - { + if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - ret+=el; - } + } + ret += el; + } #endif - if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) - && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) - { const unsigned char cryptopro_ext[36] = { + if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) + && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { + const unsigned char cryptopro_ext[36] = { 0xfd, 0xe8, /*65000*/ 0x00, 0x20, /*32 bytes length*/ - 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, - 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; - if (limit-ret<36) return NULL; - memcpy(ret,cryptopro_ext,36); - ret+=36; - - } + 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, + 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, + 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, + 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 + }; + if (limit - ret < 36) + return NULL; + memcpy(ret, cryptopro_ext, 36); + ret += 36; + } #ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension if we've received one */ - if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) - { - s2n(TLSEXT_TYPE_heartbeat,ret); - s2n(1,ret); + if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { + s2n(TLSEXT_TYPE_heartbeat, ret); + s2n(1, ret); /* Set mode: * 1: peer may send requests * 2: peer not allowed to send requests @@ -856,37 +852,35 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha else *(ret++) = SSL_TLSEXT_HB_ENABLED; - } + } #endif #ifndef OPENSSL_NO_NEXTPROTONEG next_proto_neg_seen = s->s3->next_proto_neg_seen; s->s3->next_proto_neg_seen = 0; - if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) - { + if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { const unsigned char *npa; unsigned int npalen; int r; r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) - { + if (r == SSL_TLSEXT_ERR_OK) { if ((long)(limit - ret - 4 - npalen) < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg,ret); - s2n(npalen,ret); + s2n(TLSEXT_TYPE_next_proto_neg, ret); + s2n(npalen, ret); memcpy(ret, npa, npalen); ret += npalen; s->s3->next_proto_neg_seen = 1; - } } + } #endif - if ((extdatalen = ret-p-2)== 0) + if ((extdatalen = ret - p - 2) == 0) return p; - s2n(extdatalen,p); + s2n(extdatalen, p); return ret; - } +} #ifndef OPENSSL_NO_EC /* ssl_check_for_safari attempts to fingerprint Safari using OS X @@ -901,7 +895,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from * 10.8..10.8.3 (which don't work). */ -static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { +static void +ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { unsigned short type, size; static const unsigned char kSafariExtensionsBlock[] = { 0x00, 0x0a, /* elliptic_curves extension */ @@ -929,50 +924,49 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign 0x02, 0x03, /* SHA-1/ECDSA */ }; - if (data >= (d+n-2)) + if (data >= (d + n - 2)) return; data += 2; - if (data > (d+n-4)) + if (data > (d + n - 4)) return; - n2s(data,type); - n2s(data,size); + n2s(data, type); + n2s(data, size); if (type != TLSEXT_TYPE_server_name) return; - if (data+size > d+n) + if (data + size > d + n) return; data += size; - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) - { + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { const size_t len1 = sizeof(kSafariExtensionsBlock); const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - if (data + len1 + len2 != d+n) + if (data + len1 + len2 != d + n) return; if (memcmp(data, kSafariExtensionsBlock, len1) != 0) return; if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) return; - } - else - { + } else { const size_t len = sizeof(kSafariExtensionsBlock); - if (data + len != d+n) + if (data + len != d + n) return; if (memcmp(data, kSafariExtensionsBlock, len) != 0) return; - } + } s->s3->is_probably_safari = 1; } #endif /* !OPENSSL_NO_EC */ -int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) - { +int +ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, + int n, int *al) +{ unsigned short type; unsigned short size; unsigned short len; @@ -988,7 +982,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif #ifndef OPENSSL_NO_EC @@ -996,26 +990,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in ssl_check_for_safari(s, data, d, n); #endif /* !OPENSSL_NO_EC */ - if (data >= (d+n-2)) + if (data >= (d + n - 2)) goto ri_check; - n2s(data,len); + n2s(data, len); - if (data > (d+n-len)) + if (data > (d + n - len)) goto ri_check; - while (data <= (d+n-4)) - { - n2s(data,type); - n2s(data,size); + while (data <= (d + n - 4)) { + n2s(data, type); + n2s(data, size); - if (data+size > (d+n)) - goto ri_check; + if (data + size > (d + n)) + goto ri_check; #if 0 - fprintf(stderr,"Received extension type %d size %d\n",type,size); + fprintf(stderr, "Received extension type %d size %d\n", type, size); #endif if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, data, size, - s->tlsext_debug_arg); + s->tlsext_debug_arg); /* The servername extension is treated as follows: - Only the hostname type is supported with a maximum length of 255. @@ -1039,206 +1032,180 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in */ - if (type == TLSEXT_TYPE_server_name) - { + if (type == TLSEXT_TYPE_server_name) { unsigned char *sdata; int servname_type; - int dsize; - - if (size < 2) - { + int dsize; + + + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - n2s(data,dsize); + } + n2s(data, dsize); + size -= 2; - if (dsize > size ) - { + if (dsize > size) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; - while (dsize > 3) - { - servname_type = *(sdata++); - n2s(sdata,len); + while (dsize > 3) { + servname_type = *(sdata++); + + n2s(sdata, len); dsize -= 3; - if (len > dsize) - { + if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (s->servername_done == 0) - switch (servname_type) - { + switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (!s->hit) - { - if(s->session->tlsext_hostname) - { + if (!s->hit) { + if (s->session->tlsext_hostname) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (len > TLSEXT_MAXLEN_host_name) - { + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; - } - if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) - { + } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len + 1)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } memcpy(s->session->tlsext_hostname, sdata, len); - s->session->tlsext_hostname[len]='\0'; + s->session->tlsext_hostname[len] = '\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } - s->servername_done = 1; + s->servername_done = 1; - } - else + + } else s->servername_done = s->session->tlsext_hostname - && strlen(s->session->tlsext_hostname) == len - && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; - + && strlen(s->session->tlsext_hostname) == len + && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; + break; default: break; - } - - dsize -= len; } - if (dsize != 0) - { + + dsize -= len; + } + if (dsize != 0) { *al = SSL_AD_DECODE_ERROR; return 0; - } - } + + } #ifndef OPENSSL_NO_SRP - else if (type == TLSEXT_TYPE_srp) - { - if (size <= 0 || ((len = data[0])) != (size -1)) - { + else if (type == TLSEXT_TYPE_srp) { + if (size <= 0 || ((len = data[0])) != (size - 1)) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (s->srp_ctx.login != NULL) - { + } + if (s->srp_ctx.login != NULL) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) + } + if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) return -1; memcpy(s->srp_ctx.login, &data[1], len); - s->srp_ctx.login[len]='\0'; - - if (strlen(s->srp_ctx.login) != len) - { + s->srp_ctx.login[len] = '\0'; + + if (strlen(s->srp_ctx.login) != len) { *al = SSL_AD_DECODE_ERROR; return 0; - } } + } #endif #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) - { + if (ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (!s->hit) - { - if(s->session->tlsext_ecpointformatlist) - { + } + if (!s->hit) { + if (s->session->tlsext_ecpointformatlist) { OPENSSL_free(s->session->tlsext_ecpointformatlist); s->session->tlsext_ecpointformatlist = NULL; - } + } s->session->tlsext_ecpointformatlist_length = 0; - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) - { + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); - } + } #if 0 - fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); + fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist; for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } - else if (type == TLSEXT_TYPE_elliptic_curves && - s->version != DTLS1_VERSION) - { + } else if (type == TLSEXT_TYPE_elliptic_curves && + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || - ellipticcurvelist_length < 1) - { + ellipticcurvelist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (!s->hit) - { - if(s->session->tlsext_ellipticcurvelist) - { + } + if (!s->hit) { + if (s->session->tlsext_ellipticcurvelist) { *al = TLS1_AD_DECODE_ERROR; return 0; - } + } s->session->tlsext_ellipticcurvelist_length = 0; - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) - { + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); - } + } #if 0 - fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); + fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist; for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } + } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(sdata, s->s3->client_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input_len != size - 2) - { + if (s->s3->client_opaque_prf_input_len != size - 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); @@ -1246,183 +1213,154 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input == NULL) - { + if (s->s3->client_opaque_prf_input == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } + } #endif - else if (type == TLSEXT_TYPE_session_ticket) - { + else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) - { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) + } else if (type == TLSEXT_TYPE_renegotiate) { + if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) return 0; renegotiate_seen = 1; - } - else if (type == TLSEXT_TYPE_signature_algorithms) - { + } else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; - if (sigalg_seen || size < 2) - { + if (sigalg_seen || size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sigalg_seen = 1; - n2s(data,dsize); + n2s(data, dsize); size -= 2; - if (dsize != size || dsize & 1) - { + if (dsize != size || dsize & 1) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (!tls1_process_sigalgs(s, data, dsize)) - { + } + if (!tls1_process_sigalgs(s, data, dsize)) { *al = SSL_AD_DECODE_ERROR; return 0; - } } - else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) - { - - if (size < 5) - { + } else if (type == TLSEXT_TYPE_status_request && + s->version != DTLS1_VERSION) { + + if (size < 5) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } s->tlsext_status_type = *data++; size--; - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) - { + if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { const unsigned char *sdata; int dsize; /* Read in responder_id_list */ - n2s(data,dsize); + n2s(data, dsize); size -= 2; - if (dsize > size ) - { + if (dsize > size ) { *al = SSL_AD_DECODE_ERROR; return 0; - } - while (dsize > 0) - { + } + while (dsize > 0) { OCSP_RESPID *id; int idsize; - if (dsize < 4) - { + if (dsize < 4) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(data, idsize); dsize -= 2 + idsize; size -= 2 + idsize; - if (dsize < 0) - { + if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; data += idsize; id = d2i_OCSP_RESPID(NULL, - &sdata, idsize); - if (!id) - { + &sdata, idsize); + if (!id) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (data != sdata) - { + } + if (data != sdata) { OCSP_RESPID_free(id); *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (!s->tlsext_ocsp_ids && !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) - { + sk_OCSP_RESPID_new_null())) { OCSP_RESPID_free(id); *al = SSL_AD_INTERNAL_ERROR; return 0; - } + } if (!sk_OCSP_RESPID_push( - s->tlsext_ocsp_ids, id)) - { + s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id); *al = SSL_AD_INTERNAL_ERROR; return 0; - } } + } /* Read in request_extensions */ - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - n2s(data,dsize); + } + n2s(data, dsize); size -= 2; - if (dsize != size) - { + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; - if (dsize > 0) - { - if (s->tlsext_ocsp_exts) - { + if (dsize > 0) { + if (s->tlsext_ocsp_exts) { sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - } + X509_EXTENSION_free); + } s->tlsext_ocsp_exts = - d2i_X509_EXTENSIONS(NULL, - &sdata, dsize); + d2i_X509_EXTENSIONS(NULL, + &sdata, dsize); if (!s->tlsext_ocsp_exts - || (data + dsize != sdata)) - { + || (data + dsize != sdata)) { *al = SSL_AD_DECODE_ERROR; return 0; - } } } + } /* We don't know what to do with any other type * so ignore it. */ - else - s->tlsext_status_type = -1; - } + else + s->tlsext_status_type = -1; + } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) - { - switch(data[0]) - { - case 0x01: /* Client allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - break; - case 0x02: /* Client doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + else if (type == TLSEXT_TYPE_heartbeat) { + switch (data[0]) { + case 0x01: /* Client allows us to send HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + break; + case 0x02: /* Client doesn't accept HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + break; + default: + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; } + } #endif #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) - { + s->s3->tmp.finish_md_len == 0) { /* We shouldn't accept this extension on a * renegotiation. * @@ -1439,22 +1377,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in * in the Hello protocol round, well before a new * Finished message could have been computed.) */ s->s3->next_proto_neg_seen = 1; - } + } #endif /* session ticket processed earlier */ #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_clienthello_use_srtp_ext(s, data, size, - al)) - return 0; - } + else if (type == TLSEXT_TYPE_use_srtp) { + if (ssl_parse_clienthello_use_srtp_ext(s, data, size, + al)) + return 0; + } #endif - data+=size; - } - + data += size; + } + *p = data; ri_check: @@ -1462,39 +1399,39 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in /* Need RI if renegotiating */ if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; - } + } return 1; - } +} #ifndef OPENSSL_NO_NEXTPROTONEG /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No * elements of zero length are allowed and the set of elements must exactly fill * the length of the block. */ -static char ssl_next_proto_validate(unsigned char *d, unsigned len) - { +static char +ssl_next_proto_validate(unsigned char *d, unsigned len) +{ unsigned int off = 0; - while (off < len) - { + while (off < len) { if (d[off] == 0) return 0; off += d[off]; off++; - } + } return off == len; - } +} #endif -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) - { +int +ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) +{ unsigned short length; unsigned short type; unsigned short size; @@ -1508,107 +1445,96 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif - if (data >= (d+n-2)) + if (data >= (d + n - 2)) goto ri_check; - n2s(data,length); - if (data+length != d+n) - { + n2s(data, length); + if (data + length != d + n) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } - while(data <= (d+n-4)) - { - n2s(data,type); - n2s(data,size); + while (data <= (d + n - 4)) { + n2s(data, type); + n2s(data, size); - if (data+size > (d+n)) - goto ri_check; + if (data + size > (d + n)) + goto ri_check; if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 1, type, data, size, - s->tlsext_debug_arg); + s->tlsext_debug_arg); - if (type == TLSEXT_TYPE_server_name) - { - if (s->tlsext_hostname == NULL || size > 0) - { + if (type == TLSEXT_TYPE_server_name) { + if (s->tlsext_hostname == NULL || size > 0) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; - } - tlsext_servername = 1; } + tlsext_servername = 1; + + } #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1 || - ecpointformatlist_length < 1) - { + if (ecpointformatlist_length != size - 1 || + ecpointformatlist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) - { + if (s->session->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 - fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist; for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } + } #endif /* OPENSSL_NO_EC */ - else if (type == TLSEXT_TYPE_session_ticket) - { + else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) - { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) - { + || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } - s->tlsext_ticket_expected = 1; } + s->tlsext_ticket_expected = 1; + } #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(sdata, s->s3->server_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input_len != size - 2) - { + if (s->s3->server_opaque_prf_input_len != size - 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - + } + if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); if (s->s3->server_opaque_prf_input_len == 0) @@ -1616,123 +1542,107 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in else s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } + } #endif else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* MUST be empty and only sent if we've requested * a status request message. */ - if ((s->tlsext_status_type == -1) || (size > 0)) - { + if ((s->tlsext_status_type == -1) || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } + } /* Set flag to expect CertificateStatus message */ s->tlsext_status_expected = 1; - } + } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) - { + s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; /* We must have requested it. */ - if (s->ctx->next_proto_select_cb == NULL) - { + if (s->ctx->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } + } /* The data must be valid */ - if (!ssl_next_proto_validate(data, size)) - { + if (!ssl_next_proto_validate(data, size)) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) - { + } + if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->next_proto_negotiated = OPENSSL_malloc(selected_len); - if (!s->next_proto_negotiated) - { + if (!s->next_proto_negotiated) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } memcpy(s->next_proto_negotiated, selected, selected_len); s->next_proto_negotiated_len = selected_len; s->s3->next_proto_neg_seen = 1; - } + } #endif - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) + else if (type == TLSEXT_TYPE_renegotiate) { + if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) return 0; renegotiate_seen = 1; - } + } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) - { - switch(data[0]) - { - case 0x01: /* Server allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - break; - case 0x02: /* Server doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + else if (type == TLSEXT_TYPE_heartbeat) { + switch (data[0]) { + case 0x01: /* Server allows us to send HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + break; + case 0x02: /* Server doesn't accept HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + break; + default: + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; } + } #endif #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_serverhello_use_srtp_ext(s, data, size, - al)) - return 0; - } + else if (type == TLSEXT_TYPE_use_srtp) { + if (ssl_parse_serverhello_use_srtp_ext(s, data, size, + al)) + return 0; + } #endif - data+=size; - } + data += size; + + } - if (data != d+n) - { + if (data != d + n) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } + + if (!s->hit && tlsext_servername == 1) { + if (s->tlsext_hostname) { + if (s->session->tlsext_hostname == NULL) { + s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); - if (!s->hit && tlsext_servername == 1) - { - if (s->tlsext_hostname) - { - if (s->session->tlsext_hostname == NULL) - { - s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); - if (!s->session->tlsext_hostname) - { + if (!s->session->tlsext_hostname) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; - } } - else - { + } else { *al = SSL_AD_DECODE_ERROR; return 0; - } } } + } *p = data; @@ -1747,20 +1657,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in */ if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; - } + } return 1; - } +} -int ssl_prepare_clienthello_tlsext(SSL *s) - { +int +ssl_prepare_clienthello_tlsext(SSL *s) +{ #ifndef OPENSSL_NO_EC /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats * and elliptic curves we support. @@ -1771,63 +1681,59 @@ int ssl_prepare_clienthello_tlsext(SSL *s) unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); - for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) - { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) - { + if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1; break; - } } + } using_ecc = using_ecc && (s->version >= TLS1_VERSION); - if (using_ecc) - { - if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); - if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + if (using_ecc) { + if (s->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->tlsext_ecpointformatlist); + if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } + } s->tlsext_ecpointformatlist_length = 3; s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ - if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); + if (s->tlsext_ellipticcurvelist != NULL) + OPENSSL_free(s->tlsext_ellipticcurvelist); s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; - if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) - { + if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) { s->tlsext_ellipticcurvelist_length = 0; - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } - for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < - sizeof(pref_list)/sizeof(pref_list[0]); i++) - { + } + for (i = 0, j = s->tlsext_ellipticcurvelist; + (unsigned int)i < + sizeof(pref_list)/sizeof(pref_list[0]); + i++) { int id = tls1_ec_nid2curve_id(pref_list[i]); - s2n(id,j); - } + s2n(id, j); } + } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input - { + { int r = 1; - - if (s->ctx->tlsext_opaque_prf_input_callback != 0) - { + + if (s->ctx->tlsext_opaque_prf_input_callback != 0) { r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); if (!r) return -1; - } + } - if (s->tlsext_opaque_prf_input != NULL) - { + if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); @@ -1835,25 +1741,25 @@ int ssl_prepare_clienthello_tlsext(SSL *s) s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + if (s->s3->client_opaque_prf_input == NULL) { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } - s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + } if (r == 2) /* at callback's request, insist on receiving an appropriate server opaque PRF input */ - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } #endif return 1; - } +} -int ssl_prepare_serverhello_tlsext(SSL *s) - { +int +ssl_prepare_serverhello_tlsext(SSL *s) +{ #ifndef OPENSSL_NO_EC /* If we are server and using an ECC cipher suite, send the point formats we support * if the client sent us an ECPointsFormat extension. Note that the server is not @@ -1864,28 +1770,28 @@ int ssl_prepare_serverhello_tlsext(SSL *s) unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); - - if (using_ecc) - { - if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); - if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + + if (using_ecc) { + if (s->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->tlsext_ecpointformatlist); + if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { + SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } + } s->tlsext_ecpointformatlist_length = 3; s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } + } #endif /* OPENSSL_NO_EC */ return 1; - } +} -int ssl_check_clienthello_tlsext_early(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; +int +ssl_check_clienthello_tlsext_early(SSL *s) +{ + int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC @@ -1897,40 +1803,36 @@ int ssl_check_clienthello_tlsext_early(SSL *s) */ #endif - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); #ifdef TLSEXT_TYPE_opaque_prf_input - { + { /* This sort of belongs into ssl_prepare_serverhello_tlsext(), * but we might be sending an alert in response to the client hello, * so this has to happen here in * ssl_check_clienthello_tlsext_early(). */ int r = 1; - - if (s->ctx->tlsext_opaque_prf_input_callback != 0) - { + + if (s->ctx->tlsext_opaque_prf_input_callback != 0) { r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); - if (!r) - { + if (!r) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_INTERNAL_ERROR; goto err; - } } + } if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); s->s3->server_opaque_prf_input = NULL; - if (s->tlsext_opaque_prf_input != NULL) - { + if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL && - s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { /* can only use this extension if we have a server opaque PRF input * of the same length as the client opaque PRF input! */ @@ -1938,48 +1840,48 @@ int ssl_check_clienthello_tlsext_early(SSL *s) s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_INTERNAL_ERROR; goto err; - } - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + } - if (r == 2 && s->s3->server_opaque_prf_input == NULL) - { + if (r == 2 && s->s3->server_opaque_prf_input == NULL) { /* The callback wants to enforce use of the extension, * but we can't do that with the client opaque PRF input; * abort the handshake. */ ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_HANDSHAKE_FAILURE; - } + } } - err: + err: #endif - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done=0; - default: + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + default: return 1; - } } +} -int ssl_check_clienthello_tlsext_late(SSL *s) - { +int +ssl_check_clienthello_tlsext_late(SSL *s) +{ int ret = SSL_TLSEXT_ERR_OK; int al; @@ -1988,64 +1890,62 @@ int ssl_check_clienthello_tlsext_late(SSL *s) * the certificate has changed, and must be called after the cipher * has been chosen because this may influence which certificate is sent */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) - { + if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { int r; CERT_PKEY *certpkey; certpkey = ssl_get_server_send_pkey(s); /* If no certificate can't return certificate status */ - if (certpkey == NULL) - { + if (certpkey == NULL) { s->tlsext_status_expected = 0; return 1; - } + } /* Set current certificate to one we will use so * SSL_get_certificate et al can pick it up. */ s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) - { + switch (r) { /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; + case SSL_TLSEXT_ERR_NOACK: + s->tlsext_status_expected = 0; + break; /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; + case SSL_TLSEXT_ERR_OK: + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; + else + s->tlsext_status_expected = 0; + break; /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } + case SSL_TLSEXT_ERR_ALERT_FATAL: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + al = SSL_AD_INTERNAL_ERROR; + goto err; } - else + } else s->tlsext_status_expected = 0; - err: - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; +err: + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; + return -1; - default: - return 1; - } + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + default: + return 1; } +} -int ssl_check_serverhello_tlsext(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; +int +ssl_check_serverhello_tlsext(SSL *s) +{ + int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC @@ -2055,105 +1955,95 @@ int ssl_check_serverhello_tlsext(SSL *s) */ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) - { + if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && + ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; list = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - { - if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) - { + for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { + if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { found_uncompressed = 1; break; - } } - if (!found_uncompressed) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); + } + if (!found_uncompressed) { + SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); return -1; - } } + } ret = SSL_TLSEXT_ERR_OK; #endif /* OPENSSL_NO_EC */ - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->server_opaque_prf_input_len > 0) - { + if (s->s3->server_opaque_prf_input_len > 0) { /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. * So first verify that we really have a value from the server too. */ - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_HANDSHAKE_FAILURE; - } - + } + /* Anytime the server *has* sent an opaque PRF input, we need to check * that we have a client opaque PRF input of the same size. */ if (s->s3->client_opaque_prf_input == NULL || - s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_ILLEGAL_PARAMETER; - } } + } #endif /* If we've requested certificate status and we wont get one * tell the callback */ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) - && s->ctx && s->ctx->tlsext_status_cb) - { + && s->ctx && s->ctx->tlsext_status_cb) { int r; /* Set resp to NULL, resplen to -1 so callback knows * there is no response. */ - if (s->tlsext_ocsp_resp) - { + if (s->tlsext_ocsp_resp) { OPENSSL_free(s->tlsext_ocsp_resp); s->tlsext_ocsp_resp = NULL; - } + } s->tlsext_ocsp_resplen = -1; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - if (r == 0) - { + if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - if (r < 0) - { + } + if (r < 0) { al = SSL_AD_INTERNAL_ERROR; ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } } + } - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done=0; - default: + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + default: return 1; - } } +} /* Since the server cache lookup is done early on in the processing of the * ClientHello, and other operations depend on the result, we need to handle @@ -2188,9 +2078,10 @@ int ssl_check_serverhello_tlsext(SSL *s) * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->tlsext_ticket_expected is set to 0. */ -int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - const unsigned char *limit, SSL_SESSION **ret) - { +int +tls1_process_ticket(SSL *s, unsigned char *session_id, int len, + const unsigned char *limit, SSL_SESSION **ret) +{ /* Point after session ID in client hello */ const unsigned char *p = session_id + len; unsigned short i; @@ -2208,16 +2099,15 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, if (p >= limit) return -1; /* Skip past DTLS cookie */ - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) - { + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { i = *(p++); - p+= i; + p += i; if (p >= limit) return -1; - } + } /* Skip past cipher list */ n2s(p, i); - p+= i; + p += i; if (p >= limit) return -1; /* Skip past compression algorithm list */ @@ -2229,51 +2119,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, if ((p + 2) >= limit) return 0; n2s(p, i); - while ((p + 4) <= limit) - { + while ((p + 4) <= limit) { unsigned short type, size; n2s(p, type); n2s(p, size); if (p + size > limit) return 0; - if (type == TLSEXT_TYPE_session_ticket) - { + if (type == TLSEXT_TYPE_session_ticket) { int r; - if (size == 0) - { + if (size == 0) { /* The client will accept a ticket but doesn't * currently have one. */ s->tlsext_ticket_expected = 1; return 1; - } - if (s->tls_session_secret_cb) - { + } + if (s->tls_session_secret_cb) { /* Indicate that the ticket couldn't be * decrypted rather than generating the session * from ticket now, trigger abbreviated * handshake based on external mechanism to * calculate the master secret later. */ return 2; - } + } r = tls_decrypt_ticket(s, p, size, session_id, len, ret); - switch (r) - { - case 2: /* ticket couldn't be decrypted */ - s->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ - s->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; - } + switch (r) { + case 2: /* ticket couldn't be decrypted */ + s->tlsext_ticket_expected = 1; + return 2; + case 3: /* ticket was decrypted */ + return r; + case 4: /* ticket decrypted but need to renew */ + s->tlsext_ticket_expected = 1; + return 3; + default: /* fatal error */ + return -1; } - p += size; } - return 0; + p += size; } + return 0; +} /* tls_decrypt_ticket attempts to decrypt a session ticket. * @@ -2290,10 +2175,10 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, * 3: a ticket was successfully decrypted and *psess was set. * 4: same as 3, but the ticket needs to be renewed. */ -static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess) - { +static int +tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, + const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) +{ SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; @@ -2308,37 +2193,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, /* Initialize session ticket encryption and HMAC contexts */ HMAC_CTX_init(&hctx); EVP_CIPHER_CTX_init(&ctx); - if (tctx->tlsext_ticket_key_cb) - { + if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, &hctx, 0); + &ctx, &hctx, 0); if (rv < 0) return -1; if (rv == 0) return 2; if (rv == 2) renew_ticket = 1; - } - else - { + } else { /* Check key name matches */ if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) return 2; HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); + tlsext_tick_md(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, etick + 16); - } + tctx->tlsext_tick_aes_key, etick + 16); + } /* Attempt to process session ticket, first conduct sanity and * integrity checks on ticket. */ mlen = HMAC_size(&hctx); - if (mlen < 0) - { + if (mlen < 0) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; - } + } eticklen -= mlen; /* Check HMAC of encrypted ticket */ HMAC_Update(&hctx, etick, eticklen); @@ -2351,11 +2232,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); sdec = OPENSSL_malloc(eticklen); - if (!sdec) - { + if (!sdec) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; - } + } EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) return 2; @@ -2365,8 +2245,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, sess = d2i_SSL_SESSION(NULL, &p, slen); OPENSSL_free(sdec); - if (sess) - { + if (sess) { /* The session ID, if non-empty, is used by some clients to * detect that the ticket has been accepted. So we copy it to * the session structure. If it is empty set length to zero @@ -2380,20 +2259,19 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, return 4; else return 3; - } - ERR_clear_error(); + } + ERR_clear_error(); /* For session parse failure, indicate that we need to send a new * ticket. */ return 2; - } +} /* Tables to translate from NIDs to TLS v1.2 ids */ -typedef struct - { +typedef struct { int nid; int id; - } tls12_lookup; +} tls12_lookup; static tls12_lookup tls12_md[] = { #ifndef OPENSSL_NO_MD5 @@ -2424,36 +2302,37 @@ static tls12_lookup tls12_sig[] = { #endif }; -static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) - { +static int +tls12_find_id(int nid, tls12_lookup *table, size_t tlen) +{ size_t i; - for (i = 0; i < tlen; i++) - { + for (i = 0; i < tlen; i++) { if (table[i].nid == nid) return table[i].id; - } - return -1; } + return -1; +} #if 0 -static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) - { +static int +tls12_find_nid(int id, tls12_lookup *table, size_t tlen) +{ size_t i; - for (i = 0; i < tlen; i++) - { + for (i = 0; i < tlen; i++) { if (table[i].id == id) return table[i].nid; - } - return -1; } + return -1; +} #endif -int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) - { +int +tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) +{ int sig_id, md_id; if (!md) return 0; md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md)/sizeof(tls12_lookup)); + sizeof(tls12_md)/sizeof(tls12_lookup)); if (md_id == -1) return 0; sig_id = tls12_get_sigid(pk); @@ -2462,46 +2341,48 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) p[0] = (unsigned char)md_id; p[1] = (unsigned char)sig_id; return 1; - } +} -int tls12_get_sigid(const EVP_PKEY *pk) - { +int +tls12_get_sigid(const EVP_PKEY *pk) +{ return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig)/sizeof(tls12_lookup)); - } + sizeof(tls12_sig)/sizeof(tls12_lookup)); +} -const EVP_MD *tls12_get_hash(unsigned char hash_alg) - { - switch(hash_alg) - { +const EVP_MD +*tls12_get_hash(unsigned char hash_alg) +{ + switch (hash_alg) { #ifndef OPENSSL_NO_SHA - case TLSEXT_hash_sha1: + case TLSEXT_hash_sha1: return EVP_sha1(); #endif #ifndef OPENSSL_NO_SHA256 - case TLSEXT_hash_sha224: + case TLSEXT_hash_sha224: return EVP_sha224(); - case TLSEXT_hash_sha256: + case TLSEXT_hash_sha256: return EVP_sha256(); #endif #ifndef OPENSSL_NO_SHA512 - case TLSEXT_hash_sha384: + case TLSEXT_hash_sha384: return EVP_sha384(); - case TLSEXT_hash_sha512: + case TLSEXT_hash_sha512: return EVP_sha512(); #endif - default: + default: return NULL; - } } +} /* Set preferred digest for each key type */ -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) - { +int +tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) +{ int i, idx; const EVP_MD *md; CERT *c = s->cert; @@ -2517,44 +2398,40 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; c->pkeys[SSL_PKEY_ECC].digest = NULL; - for (i = 0; i < dsize; i += 2) - { - unsigned char hash_alg = data[i], sig_alg = data[i+1]; + for (i = 0; i < dsize; i += 2) { + unsigned char hash_alg = data[i], sig_alg = data[i + 1]; - switch(sig_alg) - { + switch (sig_alg) { #ifndef OPENSSL_NO_RSA - case TLSEXT_signature_rsa: + case TLSEXT_signature_rsa: idx = SSL_PKEY_RSA_SIGN; break; #endif #ifndef OPENSSL_NO_DSA - case TLSEXT_signature_dsa: + case TLSEXT_signature_dsa: idx = SSL_PKEY_DSA_SIGN; break; #endif #ifndef OPENSSL_NO_ECDSA - case TLSEXT_signature_ecdsa: + case TLSEXT_signature_ecdsa: idx = SSL_PKEY_ECC; break; #endif - default: + default: continue; - } + } - if (c->pkeys[idx].digest == NULL) - { + if (c->pkeys[idx].digest == NULL) { md = tls12_get_hash(hash_alg); - if (md) - { + if (md) { c->pkeys[idx].digest = md; if (idx == SSL_PKEY_RSA_SIGN) c->pkeys[SSL_PKEY_RSA_ENC].digest = md; - } } - } + } + /* Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. @@ -2564,25 +2441,24 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) - { + if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } + } #endif #ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif return 1; - } +} #endif #ifndef OPENSSL_NO_HEARTBEATS int tls1_process_heartbeat(SSL *s) - { +{ unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; @@ -2590,8 +2466,8 @@ tls1_process_heartbeat(SSL *s) if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); /* Read type and payload length first */ if (1 + 2 + 16 > s->s3->rrec.length) @@ -2602,8 +2478,7 @@ tls1_process_heartbeat(SSL *s) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; - if (hbtype == TLS1_HB_REQUEST) - { + if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; @@ -2613,7 +2488,7 @@ tls1_process_heartbeat(SSL *s) */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; - + /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); @@ -2626,36 +2501,33 @@ tls1_process_heartbeat(SSL *s) if (r >= 0 && s->msg_callback) s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buffer, 3 + payload + padding, - s, s->msg_callback_arg); + buffer, 3 + payload + padding, + s, s->msg_callback_arg); OPENSSL_free(buffer); if (r < 0) return r; - } - else if (hbtype == TLS1_HB_RESPONSE) - { + } else if (hbtype == TLS1_HB_RESPONSE) { unsigned int seq; - + /* We only send sequence numbers (2 bytes unsigned int), * and 16 random bytes, so we just try to read the * sequence number */ n2s(pl, seq); - - if (payload == 18 && seq == s->tlsext_hb_seq) - { + + if (payload == 18 && seq == s->tlsext_hb_seq) { s->tlsext_hb_seq++; s->tlsext_hb_pending = 0; - } } + } return 0; - } +} int tls1_heartbeat(SSL *s) - { +{ unsigned char *buf, *p; int ret; unsigned int payload = 18; /* Sequence number + random bytes */ @@ -2663,26 +2535,23 @@ tls1_heartbeat(SSL *s) /* Only send if peer supports and accepts HB requests... */ if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || - s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); + s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); return -1; - } + } /* ...and there is none in flight yet... */ - if (s->tlsext_hb_pending) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); + if (s->tlsext_hb_pending) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); return -1; - } - + } + /* ...and no handshake in progress. */ - if (SSL_in_init(s) || s->in_handshake) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); + if (SSL_in_init(s) || s->in_handshake) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); return -1; - } - + } + /* Check if padding is too long, payload and padding * must not exceed 2^14 - 3 = 16381 bytes in total. */ @@ -2712,18 +2581,17 @@ tls1_heartbeat(SSL *s) RAND_pseudo_bytes(p, padding); ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); - if (ret >= 0) - { + if (ret >= 0) { if (s->msg_callback) s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buf, 3 + payload + padding, - s, s->msg_callback_arg); + buf, 3 + payload + padding, + s, s->msg_callback_arg); s->tlsext_hb_pending = 1; - } - + } + OPENSSL_free(buf); return ret; - } +} #endif diff --git a/src/lib/libssl/src/ssl/t1_meth.c b/src/lib/libssl/src/ssl/t1_meth.c index 53c807de28..ab2d789e59 100644 --- a/src/lib/libssl/src/ssl/t1_meth.c +++ b/src/lib/libssl/src/ssl/t1_meth.c @@ -60,8 +60,9 @@ #include #include "ssl_locl.h" -static const SSL_METHOD *tls1_get_method(int ver) - { +static const SSL_METHOD +*tls1_get_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_method(); if (ver == TLS1_1_VERSION) @@ -69,20 +70,13 @@ static const SSL_METHOD *tls1_get_method(int ver) if (ver == TLS1_VERSION) return TLSv1_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) + ssl3_accept, ssl3_connect, tls1_get_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) + ssl3_accept, ssl3_connect, tls1_get_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) - + ssl3_accept, ssl3_connect, tls1_get_method) diff --git a/src/lib/libssl/src/ssl/t1_reneg.c b/src/lib/libssl/src/ssl/t1_reneg.c index 9c2cc3c712..86e0e61ffb 100644 --- a/src/lib/libssl/src/ssl/t1_reneg.c +++ b/src/lib/libssl/src/ssl/t1_reneg.c @@ -113,180 +113,170 @@ #include "ssl_locl.h" /* Add the client's renegotiation binding */ -int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) - { - if(p) - { - if((s->s3->previous_client_finished_len+1) > maxlen) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len; - p++; +int +ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, + int maxlen) +{ + if (p) { + if ((s->s3->previous_client_finished_len + 1) > maxlen) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); + return 0; + } - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); + /* Length byte */ + *p = s->s3->previous_client_finished_len; + p++; + + memcpy(p, s->s3->previous_client_finished, + s->s3->previous_client_finished_len); #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by client\n", + fprintf(stderr, "%s RI extension sent by client\n", s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); #endif - } - - *len=s->s3->previous_client_finished_len + 1; + } + + *len = s->s3->previous_client_finished_len + 1; - - return 1; - } + return 1; +} /* Parse the client's renegotiation binding and abort if it's not right */ -int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, - int *al) - { - int ilen; +int +ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, + int *al) +{ + int ilen; + + /* Parse the length byte */ + if (len < 1) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + ilen = *d; + d++; - /* Parse the length byte */ - if(len < 1) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - ilen = *d; - d++; + /* Consistency check */ + if ((ilen + 1) != len) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } - /* Consistency check */ - if((ilen+1) != len) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + /* Check that the extension matches */ + if (ilen != s->s3->previous_client_finished_len) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } - /* Check that the extension matches */ - if(ilen != s->s3->previous_client_finished_len) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if(memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } + if (memcmp(d, s->s3->previous_client_finished, + s->s3->previous_client_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by server\n", - ilen ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension received by server\n", + ilen ? "Non-empty" : "Empty"); #endif - s->s3->send_connection_binding=1; + s->s3->send_connection_binding = 1; - return 1; - } + return 1; +} /* Add the server's renegotiation binding */ -int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) - { - if(p) - { - if((s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1) > maxlen) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - p++; +int +ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, + int maxlen) +{ + if (p) { + if ((s->s3->previous_client_finished_len + + s->s3->previous_server_finished_len + 1) > maxlen) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); + return 0; + } - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - p += s->s3->previous_client_finished_len; + /* Length byte */ + *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; + p++; - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); + memcpy(p, s->s3->previous_client_finished, + s->s3->previous_client_finished_len); + p += s->s3->previous_client_finished_len; + + memcpy(p, s->s3->previous_server_finished, + s->s3->previous_server_finished_len); #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by server\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension sent by server\n", + s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); #endif - } - - *len=s->s3->previous_client_finished_len + } + + *len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len + 1; - - return 1; - } + + return 1; +} /* Parse the server's renegotiation binding and abort if it's not right */ -int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, - int *al) - { - int expected_len=s->s3->previous_client_finished_len +int +ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, + int *al) +{ + int expected_len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - int ilen; + int ilen; + + /* Check for logic errors */ + OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); + OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); + + /* Parse the length byte */ + if (len < 1) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + ilen = *d; + d++; - /* Check for logic errors */ - OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); - OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); - - /* Parse the length byte */ - if(len < 1) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - ilen = *d; - d++; + /* Consistency check */ + if (ilen + 1 != len) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } - /* Consistency check */ - if(ilen+1 != len) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if(ilen != expected_len) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } + /* Check that the extension matches */ + if (ilen != expected_len) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } - if(memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - d += s->s3->previous_client_finished_len; + if (memcmp(d, s->s3->previous_client_finished, + s->s3->previous_client_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } + d += s->s3->previous_client_finished_len; - if(memcmp(d, s->s3->previous_server_finished, - s->s3->previous_server_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + if (memcmp(d, s->s3->previous_server_finished, + s->s3->previous_server_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by client\n", - ilen ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension received by client\n", + ilen ? "Non-empty" : "Empty"); #endif - s->s3->send_connection_binding=1; + s->s3->send_connection_binding = 1; - return 1; - } + return 1; +} diff --git a/src/lib/libssl/src/ssl/t1_srvr.c b/src/lib/libssl/src/ssl/t1_srvr.c index f1d1565769..776bcabc46 100644 --- a/src/lib/libssl/src/ssl/t1_srvr.c +++ b/src/lib/libssl/src/ssl/t1_srvr.c @@ -65,8 +65,10 @@ #include static const SSL_METHOD *tls1_get_server_method(int ver); -static const SSL_METHOD *tls1_get_server_method(int ver) - { + +static const SSL_METHOD +*tls1_get_server_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_server_method(); if (ver == TLS1_1_VERSION) @@ -74,20 +76,13 @@ static const SSL_METHOD *tls1_get_server_method(int ver) if (ver == TLS1_VERSION) return TLSv1_server_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) + ssl3_accept, ssl_undefined_function, tls1_get_server_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) + ssl3_accept, ssl_undefined_function, tls1_get_server_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) - + ssl3_accept, ssl_undefined_function, tls1_get_server_method) diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c index 578617ed84..ac8ff7309f 100644 --- a/src/lib/libssl/t1_clnt.c +++ b/src/lib/libssl/t1_clnt.c @@ -64,8 +64,10 @@ #include static const SSL_METHOD *tls1_get_client_method(int ver); -static const SSL_METHOD *tls1_get_client_method(int ver) - { + +static const SSL_METHOD +*tls1_get_client_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_client_method(); if (ver == TLS1_1_VERSION) @@ -73,20 +75,13 @@ static const SSL_METHOD *tls1_get_client_method(int ver) if (ver == TLS1_VERSION) return TLSv1_client_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) + ssl_undefined_function, ssl3_connect, tls1_get_client_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) + ssl_undefined_function, ssl3_connect, tls1_get_client_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_client_method, - ssl_undefined_function, - ssl3_connect, - tls1_get_client_method) - + ssl_undefined_function, ssl3_connect, tls1_get_client_method) diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 0c4cddedf8..e59e883424 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -149,15 +149,12 @@ #endif /* seed1 through seed5 are virtually concatenated */ -static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, - int sec_len, - const void *seed1, int seed1_len, - const void *seed2, int seed2_len, - const void *seed3, int seed3_len, - const void *seed4, int seed4_len, - const void *seed5, int seed5_len, - unsigned char *out, int olen) - { +static int +tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, + const void *seed1, int seed1_len, const void *seed2, int seed2_len, + const void *seed3, int seed3_len, const void *seed4, int seed4_len, + const void *seed5, int seed5_len, unsigned char *out, int olen) +{ int chunk; size_t j; EVP_MD_CTX ctx, ctx_tmp; @@ -165,8 +162,8 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, unsigned char A1[EVP_MAX_MD_SIZE]; size_t A1_len; int ret = 0; - - chunk=EVP_MD_size(md); + + chunk = EVP_MD_size(md); OPENSSL_assert(chunk >= 0); EVP_MD_CTX_init(&ctx); @@ -176,114 +173,109 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); if (!mac_key) goto err; - if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) + if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) + if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) + if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) + if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) + if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) goto err; - if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) + if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; - for (;;) - { + for (;;) { /* Reinit mac contexts */ - if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) + if (!EVP_DigestSignInit(&ctx_tmp, NULL, md, NULL, mac_key)) goto err; - if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) + if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) goto err; - if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) + if (!EVP_DigestSignUpdate(&ctx_tmp, A1, A1_len)) goto err; - if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) + if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) goto err; - if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) + if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) goto err; - if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) + if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) goto err; - if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) + if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) goto err; - if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) + if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) goto err; - if (olen > chunk) - { - if (!EVP_DigestSignFinal(&ctx,out,&j)) + if (olen > chunk) { + if (!EVP_DigestSignFinal(&ctx, out, &j)) goto err; - out+=j; - olen-=j; + out += j; + olen -= j; /* calc the next A1 value */ - if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) + if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) goto err; - } + } else /* last one */ - { - if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) + { + if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) goto err; - memcpy(out,A1,olen); + memcpy(out, A1, olen); break; - } } + } ret = 1; err: EVP_PKEY_free(mac_key); EVP_MD_CTX_cleanup(&ctx); EVP_MD_CTX_cleanup(&ctx_tmp); - OPENSSL_cleanse(A1,sizeof(A1)); + OPENSSL_cleanse(A1, sizeof(A1)); return ret; - } +} /* seed1 through seed5 are virtually concatenated */ -static int tls1_PRF(long digest_mask, - const void *seed1, int seed1_len, - const void *seed2, int seed2_len, - const void *seed3, int seed3_len, - const void *seed4, int seed4_len, - const void *seed5, int seed5_len, - const unsigned char *sec, int slen, - unsigned char *out1, - unsigned char *out2, int olen) - { - int len,i,idx,count; +static int +tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, + int seed2_len, const void *seed3, int seed3_len, const void *seed4, + int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, + int slen, unsigned char *out1, unsigned char *out2, int olen) +{ + int len, i, idx, count; const unsigned char *S1; long m; const EVP_MD *md; int ret = 0; /* Count number of digests and partition sec evenly */ - count=0; - for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { - if ((m<s3->server_random,SSL3_RANDOM_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - s->session->master_key,s->session->master_key_length, - km,tmp,num); + TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + km, tmp, num); #ifdef KSSL_DEBUG printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", - s->session->master_key_length); + s->session->master_key_length); { - int i; - for (i=0; i < s->session->master_key_length; i++) - { - printf("%02X", s->session->master_key[i]); - } - printf("\n"); } + int i; + for (i = 0; i < s->session->master_key_length; i++) { + printf("%02X", s->session->master_key[i]); + } + printf("\n"); + } #endif /* KSSL_DEBUG */ return ret; - } +} -int tls1_change_cipher_state(SSL *s, int which) - { +int +tls1_change_cipher_state(SSL *s, int which) +{ static const unsigned char empty[]=""; - unsigned char *p,*mac_secret; + unsigned char *p, *mac_secret; unsigned char *exp_label; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; - unsigned char *ms,*key,*iv; + unsigned char *ms, *key, *iv; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -337,36 +331,35 @@ int tls1_change_cipher_state(SSL *s, int which) int *mac_secret_size; EVP_MD_CTX *mac_ctx; EVP_PKEY *mac_key; - int is_export,n,i,j,k,exp_label_len,cl; + int is_export, n, i, j, k, exp_label_len, cl; int reuse_dd = 0; - is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); - c=s->s3->tmp.new_sym_enc; - m=s->s3->tmp.new_hash; + is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + c = s->s3->tmp.new_sym_enc; + m = s->s3->tmp.new_hash; mac_type = s->s3->tmp.new_mac_pkey_type; #ifndef OPENSSL_NO_COMP - comp=s->s3->tmp.new_compression; + comp = s->s3->tmp.new_compression; #endif #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); printf("\talg= %ld/%ld, comp= %p\n", - s->s3->tmp.new_cipher->algorithm_mkey, - s->s3->tmp.new_cipher->algorithm_auth, - comp); + s->s3->tmp.new_cipher->algorithm_mkey, + s->s3->tmp.new_cipher->algorithm_auth, + comp); printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", - c->nid,c->block_size,c->key_len,c->iv_len); + c->nid, c->block_size, c->key_len, c->iv_len); printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); { - int i; - for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); - } + int i; + for (i = 0; i < s->s3->tmp.key_block_length; i++) + printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); + } #endif /* KSSL_DEBUG */ - if (which & SSL3_CC_READ) - { + if (which & SSL3_CC_READ) { if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else @@ -374,303 +367,285 @@ int tls1_change_cipher_state(SSL *s, int which) if (s->enc_read_ctx != NULL) reuse_dd = 1; - else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) + else if ((s->enc_read_ctx = OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_read_ctx); - dd= s->enc_read_ctx; - mac_ctx=ssl_replace_hash(&s->read_hash,NULL); + EVP_CIPHER_CTX_init(s->enc_read_ctx); + dd = s->enc_read_ctx; + mac_ctx = ssl_replace_hash(&s->read_hash, NULL); #ifndef OPENSSL_NO_COMP - if (s->expand != NULL) - { + if (s->expand != NULL) { COMP_CTX_free(s->expand); - s->expand=NULL; - } - if (comp != NULL) - { - s->expand=COMP_CTX_new(comp->method); - if (s->expand == NULL) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + s->expand = NULL; + } + if (comp != NULL) { + s->expand = COMP_CTX_new(comp->method); + if (s->expand == NULL) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; - } + } if (s->s3->rrec.comp == NULL) - s->s3->rrec.comp=(unsigned char *) - OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + s->s3->rrec.comp = (unsigned char *) + OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; - } + } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ - if (s->version != DTLS1_VERSION) - memset(&(s->s3->read_sequence[0]),0,8); - mac_secret= &(s->s3->read_mac_secret[0]); - mac_secret_size=&(s->s3->read_mac_secret_size); - } - else - { + if (s->version != DTLS1_VERSION) + memset(&(s->s3->read_sequence[0]), 0, 8); + mac_secret = &(s->s3->read_mac_secret[0]); + mac_secret_size = &(s->s3->read_mac_secret_size); + } else { if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; - else + else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) reuse_dd = 1; - else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; - dd= s->enc_write_ctx; - if (SSL_IS_DTLS(s)) - { + dd = s->enc_write_ctx; + if (SSL_IS_DTLS(s)) { mac_ctx = EVP_MD_CTX_create(); if (!mac_ctx) goto err; s->write_hash = mac_ctx; - } - else - mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + } else + mac_ctx = ssl_replace_hash(&s->write_hash, NULL); #ifndef OPENSSL_NO_COMP - if (s->compress != NULL) - { + if (s->compress != NULL) { COMP_CTX_free(s->compress); - s->compress=NULL; - } - if (comp != NULL) - { - s->compress=COMP_CTX_new(comp->method); - if (s->compress == NULL) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + s->compress = NULL; + } + if (comp != NULL) { + s->compress = COMP_CTX_new(comp->method); + if (s->compress == NULL) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; - } } + } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ - if (s->version != DTLS1_VERSION) - memset(&(s->s3->write_sequence[0]),0,8); - mac_secret= &(s->s3->write_mac_secret[0]); + if (s->version != DTLS1_VERSION) + memset(&(s->s3->write_sequence[0]), 0, 8); + mac_secret = &(s->s3->write_mac_secret[0]); mac_secret_size = &(s->s3->write_mac_secret_size); - } + } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - p=s->s3->tmp.key_block; - i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; + p = s->s3->tmp.key_block; + i=*mac_secret_size = s->s3->tmp.new_mac_secret_size; - cl=EVP_CIPHER_key_length(c); - j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + cl = EVP_CIPHER_key_length(c); + j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ /* If GCM mode only part of IV comes from PRF */ if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) k = EVP_GCM_TLS_FIXED_IV_LEN; else - k=EVP_CIPHER_iv_length(c); - if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || - (which == SSL3_CHANGE_CIPHER_SERVER_READ)) - { - ms= &(p[ 0]); n=i+i; - key= &(p[ n]); n+=j+j; - iv= &(p[ n]); n+=k+k; - exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; - exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; - client_write=1; - } - else - { - n=i; - ms= &(p[ n]); n+=i+j; - key= &(p[ n]); n+=j+k; - iv= &(p[ n]); n+=k; - exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; - exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; - client_write=0; - } + k = EVP_CIPHER_iv_length(c); + if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || + (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { + ms = &(p[0]); + n = i + i; + key = &(p[n]); + n += j + j; + iv = &(p[n]); + n += k + k; + exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; + exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; + client_write = 1; + } else { + n = i; + ms = &(p[n]); + n += i + j; + key = &(p[n]); + n += j + k; + iv = &(p[n]); + n += k; + exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; + exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; + client_write = 0; + } - if (n > s->s3->tmp.key_block_length) - { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); + if (n > s->s3->tmp.key_block_length) { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; - } + } - memcpy(mac_secret,ms,i); + memcpy(mac_secret, ms, i); - if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) - { + if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) { mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret,*mac_secret_size); - EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); + mac_secret, *mac_secret_size); + EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); EVP_PKEY_free(mac_key); - } + } #ifdef TLS_DEBUG -printf("which = %04X\nmac key=",which); -{ int z; for (z=0; zs3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) - goto err2; - key=tmp1; + exp_label, exp_label_len, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) + goto err2; + key = tmp1; - if (k > 0) - { + if (k > 0) { if (!tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - empty,0,iv1,iv2,k*2)) - goto err2; + TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + s->s3->server_random, SSL3_RANDOM_SIZE, + NULL, 0, NULL, 0, + empty, 0, iv1, iv2, k*2)) + goto err2; if (client_write) - iv=iv1; + iv = iv1; else - iv= &(iv1[k]); - } + iv = &(iv1[k]); } + } - s->session->key_arg_length=0; + s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { - int i; - printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); - printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]); - printf("\n"); - printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]); - printf("\n"); + int i; + printf("EVP_CipherInit_ex(dd, c, key=, iv=, which)\n"); + printf("\tkey= "); for (i = 0; ikey_len; i++) printf("%02x", key[i]); + printf("\n"); + printf("\t iv= "); for (i = 0; iiv_len; i++) printf("%02x", iv[i]); + printf("\n"); } #endif /* KSSL_DEBUG */ - if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) - { - EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); + if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { + EVP_CipherInit_ex(dd, c, NULL, key, NULL,(which & SSL3_CC_WRITE)); EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); - } - else - EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); + } else + EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) - EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY, - *mac_secret_size,mac_secret); + EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, + *mac_secret_size, mac_secret); #ifdef TLS_DEBUG -printf("which = %04X\nkey=",which); -{ int z; for (z=0; zs3->tmp.key_block_length != 0) - return(1); + return (1); - if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp)) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); - return(0); - } + if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); + return (0); + } - s->s3->tmp.new_sym_enc=c; - s->s3->tmp.new_hash=hash; + s->s3->tmp.new_sym_enc = c; + s->s3->tmp.new_hash = hash; s->s3->tmp.new_mac_pkey_type = mac_type; s->s3->tmp.new_mac_secret_size = mac_secret_size; - num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); + num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); num*=2; ssl3_cleanup_key_block(s); - if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); + if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; - } + } - s->s3->tmp.key_block_length=num; - s->s3->tmp.key_block=p1; + s->s3->tmp.key_block_length = num; + s->s3->tmp.key_block = p1; - if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) - { - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); + if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; - } + } #ifdef TLS_DEBUG -printf("client random\n"); -{ int z; for (z=0; zs3->client_random[z],((z+1)%16)?' ':'\n'); } -printf("server random\n"); -{ int z; for (z=0; zs3->server_random[z],((z+1)%16)?' ':'\n'); } -printf("pre-master\n"); -{ int z; for (z=0; zsession->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } + printf("client random\n"); + { int z; for (z = 0; zs3->client_random[z],((z+1)%16)?' ':'\n'); } + printf("server random\n"); + { int z; for (z = 0; zs3->server_random[z],((z+1)%16)?' ':'\n'); } + printf("pre-master\n"); + { int z; for (z = 0; zsession->master_key_length; z++) printf("%02X%c", s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif - if (!tls1_generate_key_block(s,p1,p2,num)) + if (!tls1_generate_key_block(s, p1, p2, num)) goto err; #ifdef TLS_DEBUG -printf("\nkey block\n"); -{ int z; for (z=0; zoptions & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) - && s->method->version <= TLS1_VERSION) - { + && s->method->version <= TLS1_VERSION) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ s->s3->need_empty_fragments = 1; - if (s->session->cipher != NULL) - { + if (s->session->cipher != NULL) { if (s->session->cipher->algorithm_enc == SSL_eNULL) s->s3->need_empty_fragments = 0; - + #ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) s->s3->need_empty_fragments = 0; #endif - } } - + } + ret = 1; err: - if (p2) - { - OPENSSL_cleanse(p2,num); + if (p2) { + OPENSSL_cleanse(p2, num); OPENSSL_free(p2); - } - return(ret); } + return (ret); +} /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. * @@ -681,176 +656,161 @@ err: * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, * an internal error occured. */ -int tls1_enc(SSL *s, int send) - { +int +tls1_enc(SSL *s, int send) +{ SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i,j,k,pad=0,ret,mac_size=0; + int bs, i, j, k, pad = 0, ret, mac_size = 0; const EVP_CIPHER *enc; - if (send) - { - if (EVP_MD_CTX_md(s->write_hash)) - { - int n=EVP_MD_CTX_size(s->write_hash); + if (send) { + if (EVP_MD_CTX_md(s->write_hash)) { + int n = EVP_MD_CTX_size(s->write_hash); OPENSSL_assert(n >= 0); - } - ds=s->enc_write_ctx; - rec= &(s->s3->wrec); + } + ds = s->enc_write_ctx; + rec = &(s->s3->wrec); if (s->enc_write_ctx == NULL) - enc=NULL; - else - { + enc = NULL; + else { int ivlen; - enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); + enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); /* For TLSv1.1 and later explicit IV */ if (s->version >= TLS1_1_VERSION && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) ivlen = EVP_CIPHER_iv_length(enc); else ivlen = 0; - if (ivlen > 1) - { - if ( rec->data != rec->input) + if (ivlen > 1) { + if (rec->data != rec->input) /* we can't write into the input stream: * Can this ever happen?? (steve) */ fprintf(stderr, - "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); + "%s:%d: rec->data != rec->input\n", + __FILE__, __LINE__); else if (RAND_bytes(rec->input, ivlen) <= 0) return -1; - } } } - else - { - if (EVP_MD_CTX_md(s->read_hash)) - { - int n=EVP_MD_CTX_size(s->read_hash); + } else { + if (EVP_MD_CTX_md(s->read_hash)) { + int n = EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(n >= 0); - } - ds=s->enc_read_ctx; - rec= &(s->s3->rrec); + } + ds = s->enc_read_ctx; + rec = &(s->s3->rrec); if (s->enc_read_ctx == NULL) - enc=NULL; + enc = NULL; else - enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } + enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); + } #ifdef KSSL_DEBUG printf("tls1_enc(%d)\n", send); #endif /* KSSL_DEBUG */ - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) - { - memmove(rec->data,rec->input,rec->length); - rec->input=rec->data; + if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { + memmove(rec->data, rec->input, rec->length); + rec->input = rec->data; ret = 1; - } - else - { - l=rec->length; - bs=EVP_CIPHER_block_size(ds->cipher); - - if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) - { - unsigned char buf[13],*seq; - - seq = send?s->s3->write_sequence:s->s3->read_sequence; - - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) - { - unsigned char dtlsseq[9],*p=dtlsseq; - - s2n(send?s->d1->w_epoch:s->d1->r_epoch,p); - memcpy(p,&seq[2],6); - memcpy(buf,dtlsseq,8); - } - else + } else { + l = rec->length; + bs = EVP_CIPHER_block_size(ds->cipher); + + if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) { + unsigned char buf[13], *seq; + + seq = send ? s->s3->write_sequence : s->s3->read_sequence; + + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { + unsigned char dtlsseq[9], *p = dtlsseq; + + s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); + memcpy(p, &seq[2], 6); + memcpy(buf, dtlsseq, 8); + } else { + memcpy(buf, seq, 8); + for (i = 7; + i >= 0; + i--) /* increment */ { - memcpy(buf,seq,8); - for (i=7; i>=0; i--) /* increment */ - { ++seq[i]; - if (seq[i] != 0) break; - } - } + if (seq[i] != 0) + break; - buf[8]=rec->type; - buf[9]=(unsigned char)(s->version>>8); - buf[10]=(unsigned char)(s->version); - buf[11]=rec->length>>8; - buf[12]=rec->length&0xff; - pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf); - if (send) - { - l+=pad; - rec->length+=pad; } } - else if ((bs != 1) && send) - { - i=bs-((int)l%bs); + + buf[8] = rec->type; + buf[9] = (unsigned char)(s->version >> 8); + buf[10] = (unsigned char)(s->version); + buf[11] = rec->length >> 8; + buf[12] = rec->length&0xff; + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + if (send) { + l += pad; + rec->length += pad; + } + } else if ((bs != 1) && send) { + i = bs - ((int)l % bs); /* Add weird padding of upto 256 bytes */ /* we need to add 'i' padding bytes of value j */ - j=i-1; - if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) - { + j = i - 1; + if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) j++; - } - for (k=(int)l; k<(int)(l+i); k++) - rec->input[k]=j; - l+=i; - rec->length+=i; } + for (k = (int)l; k < (int)(l + i); k++) + rec->input[k] = j; + l += i; + rec->length += i; + } #ifdef KSSL_DEBUG { - unsigned long ui; - printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", - ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + unsigned long ui; + printf("EVP_Cipher(ds=%p, rec->data=%p, rec->input=%p, l=%ld) ==>\n", + ds, rec->data, rec->input, l); + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, DES_SCHEDULE_SZ, ds->cipher->iv_len); - printf("\t\tIV: "); - for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); - printf("\n"); - printf("\trec->input="); - for (ui=0; uiinput[ui]); - printf("\n"); + printf("\t\tIV: "); + for (i = 0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); + printf("\n"); + printf("\trec->input="); + for (ui = 0; uiinput[ui]); + printf("\n"); } #endif /* KSSL_DEBUG */ - if (!send) - { - if (l == 0 || l%bs != 0) + if (!send) { + if (l == 0 || l % bs != 0) return 0; - } - - i = EVP_Cipher(ds,rec->data,rec->input,l); + } + + i = EVP_Cipher(ds, rec->data, rec->input, l); if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) - ?(i<0) - :(i==0)) - return -1; /* AEAD can fail to verify MAC */ - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) - { + ?(i < 0) + :(i == 0)) + return -1; /* AEAD can fail to verify MAC */ + if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; - } + } #ifdef KSSL_DEBUG { - unsigned long i; - printf("\trec->data="); - for (i=0; idata[i]); printf("\n"); + unsigned long i; + printf("\trec->data="); + for (i = 0; i < l; i++) + printf(" %02x", rec->data[i]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -861,97 +821,93 @@ int tls1_enc(SSL *s, int send) ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); if (pad && !send) rec->length -= pad; - } - return ret; } + return ret; +} -int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) - { +int +tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) +{ unsigned int ret; - EVP_MD_CTX ctx, *d=NULL; + EVP_MD_CTX ctx, *d = NULL; int i; - if (s->s3->handshake_buffer) + if (s->s3->handshake_buffer) if (!ssl3_digest_cached_records(s)) return 0; - for (i=0;is3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) - { - d=s->s3->handshake_dgst[i]; + for (i = 0; i < SSL_MAX_DIGEST; i++) { + if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { + d = s->s3->handshake_dgst[i]; break; - } } + } if (!d) { - SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); + SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST); return 0; - } + } EVP_MD_CTX_init(&ctx); - EVP_MD_CTX_copy_ex(&ctx,d); - EVP_DigestFinal_ex(&ctx,out,&ret); + EVP_MD_CTX_copy_ex(&ctx, d); + EVP_DigestFinal_ex(&ctx, out, &ret); EVP_MD_CTX_cleanup(&ctx); - return((int)ret); - } + return ((int)ret); +} -int tls1_final_finish_mac(SSL *s, - const char *str, int slen, unsigned char *out) - { +int +tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) +{ unsigned int i; EVP_MD_CTX ctx; unsigned char buf[2*EVP_MAX_MD_SIZE]; - unsigned char *q,buf2[12]; + unsigned char *q, buf2[12]; int idx; long mask; - int err=0; - const EVP_MD *md; + int err = 0; + const EVP_MD *md; + - q=buf; + q = buf; - if (s->s3->handshake_buffer) + if (s->s3->handshake_buffer) if (!ssl3_digest_cached_records(s)) return 0; EVP_MD_CTX_init(&ctx); - for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) - { - if (mask & ssl_get_algorithm2(s)) - { + for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { + if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) - { + if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; - } - else - { + } else { if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || - !EVP_DigestFinal_ex(&ctx,q,&i) || - (i != (unsigned int)hashsize)) - err = 1; - q+=hashsize; - } + !EVP_DigestFinal_ex(&ctx, q, &i) || + (i != (unsigned int)hashsize)) + err = 1; + q += hashsize; } } - + } + if (!tls1_PRF(ssl_get_algorithm2(s), - str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, - s->session->master_key,s->session->master_key_length, - out,buf2,sizeof buf2)) - err = 1; + str, slen, buf,(int)(q - buf), NULL, 0, NULL, 0, NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buf2, sizeof buf2)) + err = 1; EVP_MD_CTX_cleanup(&ctx); if (err) return 0; else return sizeof buf2; - } +} -int tls1_mac(SSL *ssl, unsigned char *md, int send) - { +int +tls1_mac(SSL *ssl, unsigned char *md, int send) +{ SSL3_RECORD *rec; unsigned char *seq; EVP_MD_CTX *hash; @@ -959,152 +915,141 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) int i; EVP_MD_CTX hmac, *mac_ctx; unsigned char header[13]; - int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); + int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : (ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); int t; - if (send) - { - rec= &(ssl->s3->wrec); - seq= &(ssl->s3->write_sequence[0]); - hash=ssl->write_hash; - } - else - { - rec= &(ssl->s3->rrec); - seq= &(ssl->s3->read_sequence[0]); - hash=ssl->read_hash; - } + if (send) { + rec = &(ssl->s3->wrec); + seq = &(ssl->s3->write_sequence[0]); + hash = ssl->write_hash; + } else { + rec = &(ssl->s3->rrec); + seq = &(ssl->s3->read_sequence[0]); + hash = ssl->read_hash; + } - t=EVP_MD_CTX_size(hash); + t = EVP_MD_CTX_size(hash); OPENSSL_assert(t >= 0); - md_size=t; + md_size = t; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) - { - mac_ctx = hash; - } - else - { - if (!EVP_MD_CTX_copy(&hmac,hash)) - return -1; - mac_ctx = &hmac; - } + if (stream_mac) { + mac_ctx = hash; + } else { + if (!EVP_MD_CTX_copy(&hmac, hash)) + return -1; + mac_ctx = &hmac; + } - if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) - { - unsigned char dtlsseq[8],*p=dtlsseq; + if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) { + unsigned char dtlsseq[8], *p = dtlsseq; - s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); - memcpy (p,&seq[2],6); + s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); + memcpy (p, &seq[2], 6); memcpy(header, dtlsseq, 8); - } - else + } else memcpy(header, seq, 8); /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ - orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); rec->type &= 0xff; - header[8]=rec->type; - header[9]=(unsigned char)(ssl->version>>8); - header[10]=(unsigned char)(ssl->version); - header[11]=(rec->length)>>8; - header[12]=(rec->length)&0xff; + header[8] = rec->type; + header[9] = (unsigned char)(ssl->version >> 8); + header[10] = (unsigned char)(ssl->version); + header[11] = (rec->length) >> 8; + header[12] = (rec->length)&0xff; if (!send && - EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && - ssl3_cbc_record_digest_supported(mac_ctx)) - { + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(mac_ctx)) { /* This is a CBC-encrypted record. We must avoid leaking any * timing-side channel information about how many blocks of * data we are hashing because that gives an attacker a * timing-oracle. */ ssl3_cbc_digest_record( - mac_ctx, - md, &md_size, - header, rec->input, - rec->length + md_size, orig_len, - ssl->s3->read_mac_secret, - ssl->s3->read_mac_secret_size, - 0 /* not SSLv3 */); - } - else - { - EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); - EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); - t=EVP_DigestSignFinal(mac_ctx,md,&md_size); + mac_ctx, + md, &md_size, + header, rec->input, + rec->length + md_size, orig_len, + ssl->s3->read_mac_secret, + ssl->s3->read_mac_secret_size, + 0 /* not SSLv3 */); + } else { + EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); + EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); + t = EVP_DigestSignFinal(mac_ctx, md, &md_size); OPENSSL_assert(t > 0); #ifdef OPENSSL_FIPS if (!send && FIPS_mode()) tls_fips_digest_extra( - ssl->enc_read_ctx, - mac_ctx, rec->input, - rec->length, orig_len); + ssl->enc_read_ctx, + mac_ctx, rec->input, + rec->length, orig_len); #endif - } - + } + if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); #ifdef TLS_DEBUG -printf("sec="); -{unsigned int z; for (z=0; zversion != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) - { - for (i=7; i>=0; i--) - { + if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) { + for (i = 7; i >= 0; i--) { ++seq[i]; - if (seq[i] != 0) break; - } + if (seq[i] != 0) + break; + } + } #ifdef TLS_DEBUG -{unsigned int z; for (z=0; zs3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL && s->s3->client_opaque_prf_input_len > 0 && - s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) { co = s->s3->client_opaque_prf_input; col = s->s3->server_opaque_prf_input_len; so = s->s3->server_opaque_prf_input; sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ - } + } #endif tls1_PRF(ssl_get_algorithm2(s), - TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - co, col, - s->s3->server_random,SSL3_RANDOM_SIZE, - so, sol, - p,len, - s->session->master_key,buff,sizeof buff); + TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, + s->s3->client_random, SSL3_RANDOM_SIZE, + co, col, + s->s3->server_random, SSL3_RANDOM_SIZE, + so, sol, + p, len, + s->session->master_key, buff, sizeof buff); #ifdef SSL_DEBUG fprintf(stderr, "Premaster Secret:\n"); BIO_dump_fp(stderr, (char *)p, len); @@ -1119,13 +1064,14 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, #ifdef KSSL_DEBUG printf ("tls1_generate_master_secret() complete\n"); #endif /* KSSL_DEBUG */ - return(SSL3_MASTER_SECRET_SIZE); - } + return (SSL3_MASTER_SECRET_SIZE); +} -int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *context, - size_t contextlen, int use_context) - { +int +tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, + const char *label, size_t llen, const unsigned char *context, + size_t contextlen, int use_context) +{ unsigned char *buff; unsigned char *val = NULL; size_t vallen, currentvalpos; @@ -1136,7 +1082,8 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, #endif /* KSSL_DEBUG */ buff = OPENSSL_malloc(olen); - if (buff == NULL) goto err2; + if (buff == NULL) + goto err2; /* construct PRF arguments * we construct the PRF argument ourself rather than passing separate @@ -1144,13 +1091,13 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * does not create a prohibited label. */ vallen = llen + SSL3_RANDOM_SIZE * 2; - if (use_context) - { + if (use_context) { vallen += 2 + contextlen; - } + } val = OPENSSL_malloc(vallen); - if (val == NULL) goto err2; + if (val == NULL) + goto err2; currentvalpos = 0; memcpy(val + currentvalpos, (unsigned char *) label, llen); currentvalpos += llen; @@ -1159,17 +1106,15 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); currentvalpos += SSL3_RANDOM_SIZE; - if (use_context) - { + if (use_context) { val[currentvalpos] = (contextlen >> 8) & 0xff; currentvalpos++; val[currentvalpos] = contextlen & 0xff; currentvalpos++; - if ((contextlen > 0) || (context != NULL)) - { + if ((contextlen > 0) || (context != NULL)) { memcpy(val + currentvalpos, context, contextlen); - } } + } /* disallow prohibited labels * note that SSL3_RANDOM_SIZE > max(prohibited label len) = @@ -1177,22 +1122,22 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, * comparisons won't have buffer overflow */ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; + TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; + TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - val, vallen, - NULL, 0, - NULL, 0, - NULL, 0, - NULL, 0, - s->session->master_key,s->session->master_key_length, - out,buff,olen); + val, vallen, + NULL, 0, + NULL, 0, + NULL, 0, + NULL, 0, + s->session->master_key, s->session->master_key_length, + out, buff, olen); #ifdef KSSL_DEBUG printf ("tls1_export_keying_material() complete\n"); @@ -1206,49 +1151,82 @@ err2: SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); rv = 0; ret: - if (buff != NULL) OPENSSL_free(buff); - if (val != NULL) OPENSSL_free(val); - return(rv); - } + if (buff != NULL) + OPENSSL_free(buff); + if (val != NULL) + OPENSSL_free(val); + return (rv); +} -int tls1_alert_code(int code) - { - switch (code) - { - case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); - case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); - case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); - case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); - case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); - case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); - case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); - case SSL_AD_NO_CERTIFICATE: return(-1); - case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); - case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); - case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); - case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); - case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); - case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); - case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); - case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); - case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); - case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); - case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); - case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); - case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); - case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); - case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); - case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); - case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION); - case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE); - case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); - case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); - case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); - case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); +int +tls1_alert_code(int code) +{ + switch (code) { + case SSL_AD_CLOSE_NOTIFY: + return (SSL3_AD_CLOSE_NOTIFY); + case SSL_AD_UNEXPECTED_MESSAGE: + return (SSL3_AD_UNEXPECTED_MESSAGE); + case SSL_AD_BAD_RECORD_MAC: + return (SSL3_AD_BAD_RECORD_MAC); + case SSL_AD_DECRYPTION_FAILED: + return (TLS1_AD_DECRYPTION_FAILED); + case SSL_AD_RECORD_OVERFLOW: + return (TLS1_AD_RECORD_OVERFLOW); + case SSL_AD_DECOMPRESSION_FAILURE: + return (SSL3_AD_DECOMPRESSION_FAILURE); + case SSL_AD_HANDSHAKE_FAILURE: + return (SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_NO_CERTIFICATE: + return (-1); + case SSL_AD_BAD_CERTIFICATE: + return (SSL3_AD_BAD_CERTIFICATE); + case SSL_AD_UNSUPPORTED_CERTIFICATE: + return (SSL3_AD_UNSUPPORTED_CERTIFICATE); + case SSL_AD_CERTIFICATE_REVOKED: + return (SSL3_AD_CERTIFICATE_REVOKED); + case SSL_AD_CERTIFICATE_EXPIRED: + return (SSL3_AD_CERTIFICATE_EXPIRED); + case SSL_AD_CERTIFICATE_UNKNOWN: + return (SSL3_AD_CERTIFICATE_UNKNOWN); + case SSL_AD_ILLEGAL_PARAMETER: + return (SSL3_AD_ILLEGAL_PARAMETER); + case SSL_AD_UNKNOWN_CA: + return (TLS1_AD_UNKNOWN_CA); + case SSL_AD_ACCESS_DENIED: + return (TLS1_AD_ACCESS_DENIED); + case SSL_AD_DECODE_ERROR: + return (TLS1_AD_DECODE_ERROR); + case SSL_AD_DECRYPT_ERROR: + return (TLS1_AD_DECRYPT_ERROR); + case SSL_AD_EXPORT_RESTRICTION: + return (TLS1_AD_EXPORT_RESTRICTION); + case SSL_AD_PROTOCOL_VERSION: + return (TLS1_AD_PROTOCOL_VERSION); + case SSL_AD_INSUFFICIENT_SECURITY: + return (TLS1_AD_INSUFFICIENT_SECURITY); + case SSL_AD_INTERNAL_ERROR: + return (TLS1_AD_INTERNAL_ERROR); + case SSL_AD_USER_CANCELLED: + return (TLS1_AD_USER_CANCELLED); + case SSL_AD_NO_RENEGOTIATION: + return (TLS1_AD_NO_RENEGOTIATION); + case SSL_AD_UNSUPPORTED_EXTENSION: + return (TLS1_AD_UNSUPPORTED_EXTENSION); + case SSL_AD_CERTIFICATE_UNOBTAINABLE: + return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); + case SSL_AD_UNRECOGNIZED_NAME: + return (TLS1_AD_UNRECOGNIZED_NAME); + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: + return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); + case SSL_AD_UNKNOWN_PSK_IDENTITY: + return (TLS1_AD_UNKNOWN_PSK_IDENTITY); #if 0 /* not appropriate for TLS, not used for DTLS */ - case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return - (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); + case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return + (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); #endif - default: return(-1); - } + default: + return (-1); } +} diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index bddffd92cc..08f7a444ad 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -120,12 +120,13 @@ const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; #ifndef OPENSSL_NO_TLSEXT -static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess); +static int +tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, + const unsigned char *sess_id, int sesslen, + SSL_SESSION **psess); #endif -SSL3_ENC_METHOD TLSv1_enc_data={ +SSL3_ENC_METHOD TLSv1_enc_data = { tls1_enc, tls1_mac, tls1_setup_key_block, @@ -134,171 +135,173 @@ SSL3_ENC_METHOD TLSv1_enc_data={ tls1_final_finish_mac, TLS1_FINISH_MAC_LENGTH, tls1_cert_verify_mac, - TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, - TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, - }; +}; -long tls1_default_timeout(void) - { +long +tls1_default_timeout(void) +{ /* 2 hours, the 24 hours mentioned in the TLSv1 spec * is way too long for http, the cache would over fill */ - return(60*60*2); - } + return (60*60*2); +} -int tls1_new(SSL *s) - { - if (!ssl3_new(s)) return(0); - s->method->ssl_clear(s); - return(1); - } +int +tls1_new(SSL *s) +{ + if (!ssl3_new(s)) return (0); + s->method->ssl_clear(s); + return (1); +} -void tls1_free(SSL *s) - { +void +tls1_free(SSL *s) +{ #ifndef OPENSSL_NO_TLSEXT - if (s->tlsext_session_ticket) - { + if (s->tlsext_session_ticket) { OPENSSL_free(s->tlsext_session_ticket); - } + } #endif /* OPENSSL_NO_TLSEXT */ ssl3_free(s); - } +} -void tls1_clear(SSL *s) - { +void +tls1_clear(SSL *s) +{ ssl3_clear(s); s->version = s->method->version; - } +} #ifndef OPENSSL_NO_EC -static int nid_list[] = - { - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1 /* secp521r1 (25) */ - }; +static int nid_list[] = { + NID_sect163k1, /* sect163k1 (1) */ + NID_sect163r1, /* sect163r1 (2) */ + NID_sect163r2, /* sect163r2 (3) */ + NID_sect193r1, /* sect193r1 (4) */ + NID_sect193r2, /* sect193r2 (5) */ + NID_sect233k1, /* sect233k1 (6) */ + NID_sect233r1, /* sect233r1 (7) */ + NID_sect239k1, /* sect239k1 (8) */ + NID_sect283k1, /* sect283k1 (9) */ + NID_sect283r1, /* sect283r1 (10) */ + NID_sect409k1, /* sect409k1 (11) */ + NID_sect409r1, /* sect409r1 (12) */ + NID_sect571k1, /* sect571k1 (13) */ + NID_sect571r1, /* sect571r1 (14) */ + NID_secp160k1, /* secp160k1 (15) */ + NID_secp160r1, /* secp160r1 (16) */ + NID_secp160r2, /* secp160r2 (17) */ + NID_secp192k1, /* secp192k1 (18) */ + NID_X9_62_prime192v1, /* secp192r1 (19) */ + NID_secp224k1, /* secp224k1 (20) */ + NID_secp224r1, /* secp224r1 (21) */ + NID_secp256k1, /* secp256k1 (22) */ + NID_X9_62_prime256v1, /* secp256r1 (23) */ + NID_secp384r1, /* secp384r1 (24) */ + NID_secp521r1 /* secp521r1 (25) */ +}; -static int pref_list[] = - { - NID_sect571r1, /* sect571r1 (14) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_secp521r1, /* secp521r1 (25) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - }; +static int pref_list[] = { + NID_sect571r1, /* sect571r1 (14) */ + NID_sect571k1, /* sect571k1 (13) */ + NID_secp521r1, /* secp521r1 (25) */ + NID_sect409k1, /* sect409k1 (11) */ + NID_sect409r1, /* sect409r1 (12) */ + NID_secp384r1, /* secp384r1 (24) */ + NID_sect283k1, /* sect283k1 (9) */ + NID_sect283r1, /* sect283r1 (10) */ + NID_secp256k1, /* secp256k1 (22) */ + NID_X9_62_prime256v1, /* secp256r1 (23) */ + NID_sect239k1, /* sect239k1 (8) */ + NID_sect233k1, /* sect233k1 (6) */ + NID_sect233r1, /* sect233r1 (7) */ + NID_secp224k1, /* secp224k1 (20) */ + NID_secp224r1, /* secp224r1 (21) */ + NID_sect193r1, /* sect193r1 (4) */ + NID_sect193r2, /* sect193r2 (5) */ + NID_secp192k1, /* secp192k1 (18) */ + NID_X9_62_prime192v1, /* secp192r1 (19) */ + NID_sect163k1, /* sect163k1 (1) */ + NID_sect163r1, /* sect163r1 (2) */ + NID_sect163r2, /* sect163r2 (3) */ + NID_secp160k1, /* secp160k1 (15) */ + NID_secp160r1, /* secp160r1 (16) */ + NID_secp160r2, /* secp160r2 (17) */ +}; -int tls1_ec_curve_id2nid(int curve_id) - { +int +tls1_ec_curve_id2nid(int curve_id) +{ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ if ((curve_id < 1) || ((unsigned int)curve_id > - sizeof(nid_list)/sizeof(nid_list[0]))) + sizeof(nid_list)/sizeof(nid_list[0]))) return 0; - return nid_list[curve_id-1]; - } + return nid_list[curve_id - 1]; +} -int tls1_ec_nid2curve_id(int nid) - { +int +tls1_ec_nid2curve_id(int nid) +{ /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - switch (nid) - { + switch (nid) { case NID_sect163k1: /* sect163k1 (1) */ return 1; case NID_sect163r1: /* sect163r1 (2) */ return 2; case NID_sect163r2: /* sect163r2 (3) */ return 3; - case NID_sect193r1: /* sect193r1 (4) */ + case NID_sect193r1: /* sect193r1 (4) */ return 4; - case NID_sect193r2: /* sect193r2 (5) */ + case NID_sect193r2: /* sect193r2 (5) */ return 5; case NID_sect233k1: /* sect233k1 (6) */ return 6; - case NID_sect233r1: /* sect233r1 (7) */ + case NID_sect233r1: /* sect233r1 (7) */ return 7; - case NID_sect239k1: /* sect239k1 (8) */ + case NID_sect239k1: /* sect239k1 (8) */ return 8; case NID_sect283k1: /* sect283k1 (9) */ return 9; - case NID_sect283r1: /* sect283r1 (10) */ + case NID_sect283r1: /* sect283r1 (10) */ return 10; - case NID_sect409k1: /* sect409k1 (11) */ + case NID_sect409k1: /* sect409k1 (11) */ return 11; case NID_sect409r1: /* sect409r1 (12) */ return 12; - case NID_sect571k1: /* sect571k1 (13) */ + case NID_sect571k1: /* sect571k1 (13) */ return 13; - case NID_sect571r1: /* sect571r1 (14) */ + case NID_sect571r1: /* sect571r1 (14) */ return 14; case NID_secp160k1: /* secp160k1 (15) */ return 15; - case NID_secp160r1: /* secp160r1 (16) */ + case NID_secp160r1: /* secp160r1 (16) */ return 16; - case NID_secp160r2: /* secp160r2 (17) */ + case NID_secp160r2: /* secp160r2 (17) */ return 17; case NID_secp192k1: /* secp192k1 (18) */ return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ + case NID_X9_62_prime192v1: /* secp192r1 (19) */ return 19; - case NID_secp224k1: /* secp224k1 (20) */ + case NID_secp224k1: /* secp224k1 (20) */ return 20; case NID_secp224r1: /* secp224r1 (21) */ return 21; - case NID_secp256k1: /* secp256k1 (22) */ + case NID_secp256k1: /* secp256k1 (22) */ return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ + case NID_X9_62_prime256v1: /* secp256r1 (23) */ return 23; case NID_secp384r1: /* secp384r1 (24) */ return 24; - case NID_secp521r1: /* secp521r1 (25) */ + case NID_secp521r1: /* secp521r1 (25) */ return 25; default: return 0; - } } +} #endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_TLSEXT @@ -344,33 +347,35 @@ static unsigned char tls12_sigalgs[] = { #endif }; -int tls12_get_req_sig_algs(SSL *s, unsigned char *p) - { +int +tls12_get_req_sig_algs(SSL *s, unsigned char *p) +{ size_t slen = sizeof(tls12_sigalgs); if (p) memcpy(p, tls12_sigalgs, slen); return (int)slen; - } +} -unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) - { - int extdatalen=0; +unsigned char +*ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +{ + int extdatalen = 0; unsigned char *ret = p; /* don't add extensions for SSLv3 unless doing secure renegotiation */ if (s->client_version == SSL3_VERSION - && !s->s3->send_connection_binding) - return p; + && !s->s3->send_connection_binding) + return p; - ret+=2; + ret += 2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (s->tlsext_hostname != NULL) - { + if (s->tlsext_hostname != NULL) { /* Add TLS extension servername to the Client Hello message */ unsigned long size_str; - long lenmax; + long lenmax; + /* check for enough space. 4 for the servername type and entension length @@ -379,114 +384,117 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 2 for hostname length + hostname length */ - - if ((lenmax = limit - ret - 9) < 0 - || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) - return NULL; - + + if ((lenmax = limit - ret - 9) < 0 + || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) + return NULL; + /* extension type and length */ - s2n(TLSEXT_TYPE_server_name,ret); - s2n(size_str+5,ret); - + s2n(TLSEXT_TYPE_server_name, ret); + + s2n(size_str + 5, ret); + /* length of servername list */ - s2n(size_str+3,ret); - + s2n(size_str + 3, ret); + /* hostname type, length and hostname */ *(ret++) = (unsigned char) TLSEXT_NAMETYPE_host_name; - s2n(size_str,ret); + s2n(size_str, ret); memcpy(ret, s->tlsext_hostname, size_str); - ret+=size_str; + ret += size_str; + } + + /* Add RI if renegotiating */ + if (s->renegotiate) { + int el; + + if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; } - /* Add RI if renegotiating */ - if (s->renegotiate) - { - int el; - - if(!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if((limit - p - 4 - el) < 0) return NULL; - - s2n(TLSEXT_TYPE_renegotiate,ret); - s2n(el,ret); - - if(!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } + if ((limit - p - 4 - el) + < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate, ret); + s2n(el, ret); + + if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + ret += el; + } #ifndef OPENSSL_NO_SRP /* Add SRP username if there is one */ if (s->srp_ctx.login != NULL) - { /* Add TLS extension SRP username to the Client Hello message */ + { /* Add TLS extension SRP username to the Client Hello message */ - int login_len = strlen(s->srp_ctx.login); - if (login_len > 255 || login_len == 0) - { + int login_len = strlen(s->srp_ctx.login); + + if (login_len > 255 || login_len == 0) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } + } /* check for enough space. 4 for the srp type type and entension length 1 for the srp user identity + srp user identity length */ - if ((limit - ret - 5 - login_len) < 0) return NULL; + if ((limit - ret - 5 - login_len) + < 0) return NULL; + /* fill in the extension */ - s2n(TLSEXT_TYPE_srp,ret); - s2n(login_len+1,ret); + s2n(TLSEXT_TYPE_srp, ret); + s2n(login_len + 1, ret); (*ret++) = (unsigned char) login_len; memcpy(ret, s->srp_ctx.login, login_len); - ret+=login_len; - } + ret += login_len; + } #endif #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ClientHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 5) + < 0) return NULL; - if ((lenmax = limit - ret - 5) < 0) return NULL; if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) - { + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); + } + + s2n(TLSEXT_TYPE_ec_point_formats, ret); + s2n(s->tlsext_ecpointformatlist_length + 1, ret); *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; - } + ret += s->tlsext_ecpointformatlist_length; + } if (s->tlsext_ellipticcurvelist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension EllipticCurves to the ClientHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 6) + < 0) return NULL; - if ((lenmax = limit - ret - 6) < 0) return NULL; if (s->tlsext_ellipticcurvelist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ellipticcurvelist_length > 65532) - { + if (s->tlsext_ellipticcurvelist_length > 65532) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_elliptic_curves,ret); + } + + s2n(TLSEXT_TYPE_elliptic_curves, ret); s2n(s->tlsext_ellipticcurvelist_length + 2, ret); /* NB: draft-ietf-tls-ecc-12.txt uses a one-byte prefix for @@ -496,111 +504,103 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha */ s2n(s->tlsext_ellipticcurvelist_length, ret); memcpy(ret, s->tlsext_ellipticcurvelist, s->tlsext_ellipticcurvelist_length); - ret+=s->tlsext_ellipticcurvelist_length; - } + ret += s->tlsext_ellipticcurvelist_length; + } #endif /* OPENSSL_NO_EC */ - if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) - { + if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) { int ticklen; if (!s->new_session && s->session && s->session->tlsext_tick) ticklen = s->session->tlsext_ticklen; else if (s->session && s->tlsext_session_ticket && - s->tlsext_session_ticket->data) - { + s->tlsext_session_ticket->data) { ticklen = s->tlsext_session_ticket->length; s->session->tlsext_tick = OPENSSL_malloc(ticklen); if (!s->session->tlsext_tick) return NULL; memcpy(s->session->tlsext_tick, - s->tlsext_session_ticket->data, - ticklen); + s->tlsext_session_ticket->data, + ticklen); s->session->tlsext_ticklen = ticklen; - } - else + } else ticklen = 0; if (ticklen == 0 && s->tlsext_session_ticket && - s->tlsext_session_ticket->data == NULL) - goto skip_ext; + s->tlsext_session_ticket->data == NULL) + goto skip_ext; /* Check for enough room 2 for extension type, 2 for len * rest for ticket */ if ((long)(limit - ret - 4 - ticklen) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket,ret); - s2n(ticklen,ret); - if (ticklen) - { + s2n(TLSEXT_TYPE_session_ticket, ret); + + s2n(ticklen, ret); + if (ticklen) { memcpy(ret, s->session->tlsext_tick, ticklen); ret += ticklen; - } } - skip_ext: + } + skip_ext: - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) - { + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) - return NULL; - s2n(TLSEXT_TYPE_signature_algorithms,ret); + return NULL; + + s2n(TLSEXT_TYPE_signature_algorithms, ret); s2n(sizeof(tls12_sigalgs) + 2, ret); s2n(sizeof(tls12_sigalgs), ret); memcpy(ret, tls12_sigalgs, sizeof(tls12_sigalgs)); ret += sizeof(tls12_sigalgs); - } + } #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->client_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { size_t col = s->s3->client_opaque_prf_input_len; - + if ((long)(limit - ret - 6 - col < 0)) return NULL; if (col > 0xFFFD) /* can't happen */ return NULL; - s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(col + 2, ret); s2n(col, ret); memcpy(ret, s->s3->client_opaque_prf_input, col); ret += col; - } + } #endif if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { int i; long extlen, idlen, itmp; OCSP_RESPID *id; idlen = 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) - { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); itmp = i2d_OCSP_RESPID(id, NULL); if (itmp <= 0) return NULL; idlen += itmp + 2; - } + } - if (s->tlsext_ocsp_exts) - { + if (s->tlsext_ocsp_exts) { extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL); if (extlen < 0) return NULL; - } - else + } else extlen = 0; - + if ((long)(limit - ret - 7 - extlen - idlen) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request, ret); + s2n(TLSEXT_TYPE_status_request, ret); if (extlen + idlen > 0xFFF0) return NULL; s2n(extlen + idlen + 5, ret); *(ret++) = TLSEXT_STATUSTYPE_ocsp; s2n(idlen, ret); - for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) - { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { /* save position of id len */ unsigned char *q = ret; id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i); @@ -609,16 +609,16 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha itmp = i2d_OCSP_RESPID(id, &ret); /* write id len */ s2n(itmp, q); - } + } s2n(extlen, ret); if (extlen > 0) i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret); - } + } #ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension */ - s2n(TLSEXT_TYPE_heartbeat,ret); - s2n(1,ret); + s2n(TLSEXT_TYPE_heartbeat, ret); + s2n(1, ret); /* Set mode: * 1: peer may send requests * 2: peer not allowed to send requests @@ -630,36 +630,34 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha #endif #ifndef OPENSSL_NO_NEXTPROTONEG - if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) - { + if (s->ctx->next_proto_select_cb && !s->s3->tmp.finish_md_len) { /* The client advertises an emtpy extension to indicate its * support for Next Protocol Negotiation */ if (limit - ret - 4 < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg,ret); - s2n(0,ret); - } + s2n(TLSEXT_TYPE_next_proto_neg, ret); + s2n(0, ret); + } #endif #ifndef OPENSSL_NO_SRTP - if(SSL_get_srtp_profiles(s)) - { - int el; + if (SSL_get_srtp_profiles(s)) { + int el; + + ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0); - - if((limit - p - 4 - el) < 0) return NULL; + if ((limit - p - 4 - el) + < 0) return NULL; - s2n(TLSEXT_TYPE_use_srtp,ret); - s2n(el,ret); + s2n(TLSEXT_TYPE_use_srtp, ret); + s2n(el, ret); - if(ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) - { + if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) { SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - ret += el; - } + } + ret += el; + } #endif #ifdef TLSEXT_TYPE_padding @@ -670,38 +668,38 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha * extensions it MUST always appear last. */ { - int hlen = ret - (unsigned char *)s->init_buf->data; + int hlen = ret - (unsigned char *)s->init_buf->data; /* The code in s23_clnt.c to build ClientHello messages includes the * 5-byte record header in the buffer, while the code in s3_clnt.c does * not. */ - if (s->state == SSL23_ST_CW_CLNT_HELLO_A) - hlen -= 5; - if (hlen > 0xff && hlen < 0x200) - { - hlen = 0x200 - hlen; - if (hlen >= 4) - hlen -= 4; - else - hlen = 0; + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; - s2n(TLSEXT_TYPE_padding, ret); - s2n(hlen, ret); - memset(ret, 0, hlen); - ret += hlen; + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; } } #endif - if ((extdatalen = ret-p-2)== 0) + if ((extdatalen = ret - p - 2) == 0) return p; - s2n(extdatalen,p); + s2n(extdatalen, p); return ret; - } +} -unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) - { - int extdatalen=0; +unsigned char +*ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit) +{ + int extdatalen = 0; unsigned char *ret = p; #ifndef OPENSSL_NO_NEXTPROTONEG int next_proto_neg_seen; @@ -710,143 +708,141 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha /* don't add extensions for SSLv3, unless doing secure renegotiation */ if (s->version == SSL3_VERSION && !s->s3->send_connection_binding) return p; - - ret+=2; + + ret += 2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ - if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) - { - if ((long)(limit - ret - 4) < 0) return NULL; + if (!s->hit && s->servername_done == 1 && s->session->tlsext_hostname != NULL) { + if ((long)(limit - ret - 4) < 0) return NULL; + + + s2n(TLSEXT_TYPE_server_name, ret); + s2n(0, ret); + } - s2n(TLSEXT_TYPE_server_name,ret); - s2n(0,ret); + if (s->s3->send_connection_binding) { + int el; + + if (!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; + } + + if ((limit - p - 4 - el) + < 0) return NULL; + + s2n(TLSEXT_TYPE_renegotiate, ret); + s2n(el, ret); + + if (!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); + return NULL; } - if(s->s3->send_connection_binding) - { - int el; - - if(!ssl_add_serverhello_renegotiate_ext(s, 0, &el, 0)) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if((limit - p - 4 - el) < 0) return NULL; - - s2n(TLSEXT_TYPE_renegotiate,ret); - s2n(el,ret); - - if(!ssl_add_serverhello_renegotiate_ext(s, ret, &el, el)) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); - return NULL; - } - - ret += el; - } + ret += el; + } #ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* Add TLS extension ECPointFormats to the ServerHello message */ - long lenmax; + long lenmax; + + + if ((lenmax = limit - ret - 5) + < 0) return NULL; - if ((lenmax = limit - ret - 5) < 0) return NULL; if (s->tlsext_ecpointformatlist_length > (unsigned long)lenmax) return NULL; - if (s->tlsext_ecpointformatlist_length > 255) - { + if (s->tlsext_ecpointformatlist_length > 255) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - - s2n(TLSEXT_TYPE_ec_point_formats,ret); - s2n(s->tlsext_ecpointformatlist_length + 1,ret); + } + + s2n(TLSEXT_TYPE_ec_point_formats, ret); + s2n(s->tlsext_ecpointformatlist_length + 1, ret); *(ret++) = (unsigned char) s->tlsext_ecpointformatlist_length; memcpy(ret, s->tlsext_ecpointformatlist, s->tlsext_ecpointformatlist_length); - ret+=s->tlsext_ecpointformatlist_length; + ret += s->tlsext_ecpointformatlist_length; - } + } /* Currently the server should not respond with a SupportedCurves extension */ #endif /* OPENSSL_NO_EC */ if (s->tlsext_ticket_expected - && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) - { - if ((long)(limit - ret - 4) < 0) return NULL; - s2n(TLSEXT_TYPE_session_ticket,ret); - s2n(0,ret); - } + && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) { + if ((long)(limit - ret - 4) < 0) return NULL; - if (s->tlsext_status_expected) - { - if ((long)(limit - ret - 4) < 0) return NULL; - s2n(TLSEXT_TYPE_status_request,ret); - s2n(0,ret); - } + s2n(TLSEXT_TYPE_session_ticket, ret); + s2n(0, ret); + } + + if (s->tlsext_status_expected) { + if ((long)(limit - ret - 4) < 0) return NULL; + + s2n(TLSEXT_TYPE_status_request, ret); + s2n(0, ret); + } #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->server_opaque_prf_input != NULL && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { size_t sol = s->s3->server_opaque_prf_input_len; - + if ((long)(limit - ret - 6 - sol) < 0) return NULL; if (sol > 0xFFFD) /* can't happen */ return NULL; - s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(TLSEXT_TYPE_opaque_prf_input, ret); + s2n(sol + 2, ret); s2n(sol, ret); memcpy(ret, s->s3->server_opaque_prf_input, sol); ret += sol; - } + } #endif #ifndef OPENSSL_NO_SRTP - if(s->srtp_profile) - { - int el; + if (s->srtp_profile) { + int el; - ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - - if((limit - p - 4 - el) < 0) return NULL; + ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0); - s2n(TLSEXT_TYPE_use_srtp,ret); - s2n(el,ret); + if ((limit - p - 4 - el) < 0) + return NULL; + + s2n(TLSEXT_TYPE_use_srtp, ret); + s2n(el, ret); - if(ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) - { + if (ssl_add_serverhello_use_srtp_ext(s, ret, &el, el)) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; - } - ret+=el; - } + } + ret += el; + } #endif - if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) - && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) - { const unsigned char cryptopro_ext[36] = { + if (((s->s3->tmp.new_cipher->id & 0xFFFF) == 0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF) == 0x81) + && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) { + const unsigned char cryptopro_ext[36] = { 0xfd, 0xe8, /*65000*/ 0x00, 0x20, /*32 bytes length*/ - 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, - 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, - 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, - 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17}; - if (limit-ret<36) return NULL; - memcpy(ret,cryptopro_ext,36); - ret+=36; - - } + 0x30, 0x1e, 0x30, 0x08, 0x06, 0x06, 0x2a, 0x85, + 0x03, 0x02, 0x02, 0x09, 0x30, 0x08, 0x06, 0x06, + 0x2a, 0x85, 0x03, 0x02, 0x02, 0x16, 0x30, 0x08, + 0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17 + }; + if (limit - ret < 36) + return NULL; + memcpy(ret, cryptopro_ext, 36); + ret += 36; + } #ifndef OPENSSL_NO_HEARTBEATS /* Add Heartbeat extension if we've received one */ - if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) - { - s2n(TLSEXT_TYPE_heartbeat,ret); - s2n(1,ret); + if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) { + s2n(TLSEXT_TYPE_heartbeat, ret); + s2n(1, ret); /* Set mode: * 1: peer may send requests * 2: peer not allowed to send requests @@ -856,37 +852,35 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha else *(ret++) = SSL_TLSEXT_HB_ENABLED; - } + } #endif #ifndef OPENSSL_NO_NEXTPROTONEG next_proto_neg_seen = s->s3->next_proto_neg_seen; s->s3->next_proto_neg_seen = 0; - if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) - { + if (next_proto_neg_seen && s->ctx->next_protos_advertised_cb) { const unsigned char *npa; unsigned int npalen; int r; r = s->ctx->next_protos_advertised_cb(s, &npa, &npalen, s->ctx->next_protos_advertised_cb_arg); - if (r == SSL_TLSEXT_ERR_OK) - { + if (r == SSL_TLSEXT_ERR_OK) { if ((long)(limit - ret - 4 - npalen) < 0) return NULL; - s2n(TLSEXT_TYPE_next_proto_neg,ret); - s2n(npalen,ret); + s2n(TLSEXT_TYPE_next_proto_neg, ret); + s2n(npalen, ret); memcpy(ret, npa, npalen); ret += npalen; s->s3->next_proto_neg_seen = 1; - } } + } #endif - if ((extdatalen = ret-p-2)== 0) + if ((extdatalen = ret - p - 2) == 0) return p; - s2n(extdatalen,p); + s2n(extdatalen, p); return ret; - } +} #ifndef OPENSSL_NO_EC /* ssl_check_for_safari attempts to fingerprint Safari using OS X @@ -901,7 +895,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from * 10.8..10.8.3 (which don't work). */ -static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { +static void +ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { unsigned short type, size; static const unsigned char kSafariExtensionsBlock[] = { 0x00, 0x0a, /* elliptic_curves extension */ @@ -929,50 +924,49 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsign 0x02, 0x03, /* SHA-1/ECDSA */ }; - if (data >= (d+n-2)) + if (data >= (d + n - 2)) return; data += 2; - if (data > (d+n-4)) + if (data > (d + n - 4)) return; - n2s(data,type); - n2s(data,size); + n2s(data, type); + n2s(data, size); if (type != TLSEXT_TYPE_server_name) return; - if (data+size > d+n) + if (data + size > d + n) return; data += size; - if (TLS1_get_client_version(s) >= TLS1_2_VERSION) - { + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { const size_t len1 = sizeof(kSafariExtensionsBlock); const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - if (data + len1 + len2 != d+n) + if (data + len1 + len2 != d + n) return; if (memcmp(data, kSafariExtensionsBlock, len1) != 0) return; if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) return; - } - else - { + } else { const size_t len = sizeof(kSafariExtensionsBlock); - if (data + len != d+n) + if (data + len != d + n) return; if (memcmp(data, kSafariExtensionsBlock, len) != 0) return; - } + } s->s3->is_probably_safari = 1; } #endif /* !OPENSSL_NO_EC */ -int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) - { +int +ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, + int n, int *al) +{ unsigned short type; unsigned short size; unsigned short len; @@ -988,7 +982,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif #ifndef OPENSSL_NO_EC @@ -996,26 +990,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in ssl_check_for_safari(s, data, d, n); #endif /* !OPENSSL_NO_EC */ - if (data >= (d+n-2)) + if (data >= (d + n - 2)) goto ri_check; - n2s(data,len); + n2s(data, len); - if (data > (d+n-len)) + if (data > (d + n - len)) goto ri_check; - while (data <= (d+n-4)) - { - n2s(data,type); - n2s(data,size); + while (data <= (d + n - 4)) { + n2s(data, type); + n2s(data, size); - if (data+size > (d+n)) - goto ri_check; + if (data + size > (d + n)) + goto ri_check; #if 0 - fprintf(stderr,"Received extension type %d size %d\n",type,size); + fprintf(stderr, "Received extension type %d size %d\n", type, size); #endif if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, data, size, - s->tlsext_debug_arg); + s->tlsext_debug_arg); /* The servername extension is treated as follows: - Only the hostname type is supported with a maximum length of 255. @@ -1039,206 +1032,180 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in */ - if (type == TLSEXT_TYPE_server_name) - { + if (type == TLSEXT_TYPE_server_name) { unsigned char *sdata; int servname_type; - int dsize; - - if (size < 2) - { + int dsize; + + + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - n2s(data,dsize); + } + n2s(data, dsize); + size -= 2; - if (dsize > size ) - { + if (dsize > size) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; - while (dsize > 3) - { - servname_type = *(sdata++); - n2s(sdata,len); + while (dsize > 3) { + servname_type = *(sdata++); + + n2s(sdata, len); dsize -= 3; - if (len > dsize) - { + if (len > dsize) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (s->servername_done == 0) - switch (servname_type) - { + switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (!s->hit) - { - if(s->session->tlsext_hostname) - { + if (!s->hit) { + if (s->session->tlsext_hostname) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (len > TLSEXT_MAXLEN_host_name) - { + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; - } - if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) - { + } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len + 1)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } memcpy(s->session->tlsext_hostname, sdata, len); - s->session->tlsext_hostname[len]='\0'; + s->session->tlsext_hostname[len] = '\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } - s->servername_done = 1; + s->servername_done = 1; - } - else + + } else s->servername_done = s->session->tlsext_hostname - && strlen(s->session->tlsext_hostname) == len - && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; - + && strlen(s->session->tlsext_hostname) == len + && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; + break; default: break; - } - - dsize -= len; } - if (dsize != 0) - { + + dsize -= len; + } + if (dsize != 0) { *al = SSL_AD_DECODE_ERROR; return 0; - } - } + + } #ifndef OPENSSL_NO_SRP - else if (type == TLSEXT_TYPE_srp) - { - if (size <= 0 || ((len = data[0])) != (size -1)) - { + else if (type == TLSEXT_TYPE_srp) { + if (size <= 0 || ((len = data[0])) != (size - 1)) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (s->srp_ctx.login != NULL) - { + } + if (s->srp_ctx.login != NULL) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL) + } + if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) return -1; memcpy(s->srp_ctx.login, &data[1], len); - s->srp_ctx.login[len]='\0'; - - if (strlen(s->srp_ctx.login) != len) - { + s->srp_ctx.login[len] = '\0'; + + if (strlen(s->srp_ctx.login) != len) { *al = SSL_AD_DECODE_ERROR; return 0; - } } + } #endif #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) - { + if (ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (!s->hit) - { - if(s->session->tlsext_ecpointformatlist) - { + } + if (!s->hit) { + if (s->session->tlsext_ecpointformatlist) { OPENSSL_free(s->session->tlsext_ecpointformatlist); s->session->tlsext_ecpointformatlist = NULL; - } + } s->session->tlsext_ecpointformatlist_length = 0; - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) - { + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); - } + } #if 0 - fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); + fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist; for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } - else if (type == TLSEXT_TYPE_elliptic_curves && - s->version != DTLS1_VERSION) - { + } else if (type == TLSEXT_TYPE_elliptic_curves && + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); if (ellipticcurvelist_length != size - 2 || - ellipticcurvelist_length < 1) - { + ellipticcurvelist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (!s->hit) - { - if(s->session->tlsext_ellipticcurvelist) - { + } + if (!s->hit) { + if (s->session->tlsext_ellipticcurvelist) { *al = TLS1_AD_DECODE_ERROR; return 0; - } + } s->session->tlsext_ellipticcurvelist_length = 0; - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) - { + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); - } + } #if 0 - fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); + fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist; for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } + } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(sdata, s->s3->client_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input_len != size - 2) - { + if (s->s3->client_opaque_prf_input_len != size - 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); @@ -1246,183 +1213,154 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->client_opaque_prf_input = BUF_memdup(sdata, s->s3->client_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input == NULL) - { + if (s->s3->client_opaque_prf_input == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } + } #endif - else if (type == TLSEXT_TYPE_session_ticket) - { + else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) - { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) + } else if (type == TLSEXT_TYPE_renegotiate) { + if (!ssl_parse_clienthello_renegotiate_ext(s, data, size, al)) return 0; renegotiate_seen = 1; - } - else if (type == TLSEXT_TYPE_signature_algorithms) - { + } else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; - if (sigalg_seen || size < 2) - { + if (sigalg_seen || size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sigalg_seen = 1; - n2s(data,dsize); + n2s(data, dsize); size -= 2; - if (dsize != size || dsize & 1) - { + if (dsize != size || dsize & 1) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (!tls1_process_sigalgs(s, data, dsize)) - { + } + if (!tls1_process_sigalgs(s, data, dsize)) { *al = SSL_AD_DECODE_ERROR; return 0; - } } - else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) - { - - if (size < 5) - { + } else if (type == TLSEXT_TYPE_status_request && + s->version != DTLS1_VERSION) { + + if (size < 5) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } s->tlsext_status_type = *data++; size--; - if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) - { + if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) { const unsigned char *sdata; int dsize; /* Read in responder_id_list */ - n2s(data,dsize); + n2s(data, dsize); size -= 2; - if (dsize > size ) - { + if (dsize > size ) { *al = SSL_AD_DECODE_ERROR; return 0; - } - while (dsize > 0) - { + } + while (dsize > 0) { OCSP_RESPID *id; int idsize; - if (dsize < 4) - { + if (dsize < 4) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(data, idsize); dsize -= 2 + idsize; size -= 2 + idsize; - if (dsize < 0) - { + if (dsize < 0) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; data += idsize; id = d2i_OCSP_RESPID(NULL, - &sdata, idsize); - if (!id) - { + &sdata, idsize); + if (!id) { *al = SSL_AD_DECODE_ERROR; return 0; - } - if (data != sdata) - { + } + if (data != sdata) { OCSP_RESPID_free(id); *al = SSL_AD_DECODE_ERROR; return 0; - } + } if (!s->tlsext_ocsp_ids && !(s->tlsext_ocsp_ids = - sk_OCSP_RESPID_new_null())) - { + sk_OCSP_RESPID_new_null())) { OCSP_RESPID_free(id); *al = SSL_AD_INTERNAL_ERROR; return 0; - } + } if (!sk_OCSP_RESPID_push( - s->tlsext_ocsp_ids, id)) - { + s->tlsext_ocsp_ids, id)) { OCSP_RESPID_free(id); *al = SSL_AD_INTERNAL_ERROR; return 0; - } } + } /* Read in request_extensions */ - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - n2s(data,dsize); + } + n2s(data, dsize); size -= 2; - if (dsize != size) - { + if (dsize != size) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } sdata = data; - if (dsize > 0) - { - if (s->tlsext_ocsp_exts) - { + if (dsize > 0) { + if (s->tlsext_ocsp_exts) { sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - } + X509_EXTENSION_free); + } s->tlsext_ocsp_exts = - d2i_X509_EXTENSIONS(NULL, - &sdata, dsize); + d2i_X509_EXTENSIONS(NULL, + &sdata, dsize); if (!s->tlsext_ocsp_exts - || (data + dsize != sdata)) - { + || (data + dsize != sdata)) { *al = SSL_AD_DECODE_ERROR; return 0; - } } } + } /* We don't know what to do with any other type * so ignore it. */ - else - s->tlsext_status_type = -1; - } + else + s->tlsext_status_type = -1; + } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) - { - switch(data[0]) - { - case 0x01: /* Client allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - break; - case 0x02: /* Client doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + else if (type == TLSEXT_TYPE_heartbeat) { + switch (data[0]) { + case 0x01: /* Client allows us to send HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + break; + case 0x02: /* Client doesn't accept HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + break; + default: + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; } + } #endif #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) - { + s->s3->tmp.finish_md_len == 0) { /* We shouldn't accept this extension on a * renegotiation. * @@ -1439,22 +1377,21 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in * in the Hello protocol round, well before a new * Finished message could have been computed.) */ s->s3->next_proto_neg_seen = 1; - } + } #endif /* session ticket processed earlier */ #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_clienthello_use_srtp_ext(s, data, size, - al)) - return 0; - } + else if (type == TLSEXT_TYPE_use_srtp) { + if (ssl_parse_clienthello_use_srtp_ext(s, data, size, + al)) + return 0; + } #endif - data+=size; - } - + data += size; + } + *p = data; ri_check: @@ -1462,39 +1399,39 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in /* Need RI if renegotiating */ if (!renegotiate_seen && s->renegotiate && - !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { + !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; - } + } return 1; - } +} #ifndef OPENSSL_NO_NEXTPROTONEG /* ssl_next_proto_validate validates a Next Protocol Negotiation block. No * elements of zero length are allowed and the set of elements must exactly fill * the length of the block. */ -static char ssl_next_proto_validate(unsigned char *d, unsigned len) - { +static char +ssl_next_proto_validate(unsigned char *d, unsigned len) +{ unsigned int off = 0; - while (off < len) - { + while (off < len) { if (d[off] == 0) return 0; off += d[off]; off++; - } + } return off == len; - } +} #endif -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) - { +int +ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) +{ unsigned short length; unsigned short type; unsigned short size; @@ -1508,107 +1445,96 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in #ifndef OPENSSL_NO_HEARTBEATS s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif - if (data >= (d+n-2)) + if (data >= (d + n - 2)) goto ri_check; - n2s(data,length); - if (data+length != d+n) - { + n2s(data, length); + if (data + length != d + n) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } - while(data <= (d+n-4)) - { - n2s(data,type); - n2s(data,size); + while (data <= (d + n - 4)) { + n2s(data, type); + n2s(data, size); - if (data+size > (d+n)) - goto ri_check; + if (data + size > (d + n)) + goto ri_check; if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 1, type, data, size, - s->tlsext_debug_arg); + s->tlsext_debug_arg); - if (type == TLSEXT_TYPE_server_name) - { - if (s->tlsext_hostname == NULL || size > 0) - { + if (type == TLSEXT_TYPE_server_name) { + if (s->tlsext_hostname == NULL || size > 0) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; - } - tlsext_servername = 1; } + tlsext_servername = 1; + + } #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1 || - ecpointformatlist_length < 1) - { + if (ecpointformatlist_length != size - 1 || + ecpointformatlist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) - { + if (s->session->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->session->tlsext_ecpointformatlist); + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 - fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); sdata = s->session->tlsext_ecpointformatlist; for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr,"%i ",*(sdata++)); - fprintf(stderr,"\n"); + fprintf(stderr, "%i ", *(sdata++)); + fprintf(stderr, "\n"); #endif - } + } #endif /* OPENSSL_NO_EC */ - else if (type == TLSEXT_TYPE_session_ticket) - { + else if (type == TLSEXT_TYPE_session_ticket) { if (s->tls_session_ticket_ext_cb && - !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) - { + !s->tls_session_ticket_ext_cb(s, data, size, s->tls_session_ticket_ext_cb_arg)) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } if ((SSL_get_options(s) & SSL_OP_NO_TICKET) - || (size > 0)) - { + || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } - s->tlsext_ticket_expected = 1; } + s->tlsext_ticket_expected = 1; + } #ifdef TLSEXT_TYPE_opaque_prf_input else if (type == TLSEXT_TYPE_opaque_prf_input && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { unsigned char *sdata = data; - if (size < 2) - { + if (size < 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } n2s(sdata, s->s3->server_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input_len != size - 2) - { + if (s->s3->server_opaque_prf_input_len != size - 2) { *al = SSL_AD_DECODE_ERROR; return 0; - } - + } + if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); if (s->s3->server_opaque_prf_input_len == 0) @@ -1616,123 +1542,107 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in else s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } } + } #endif else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION) - { + s->version != DTLS1_VERSION) { /* MUST be empty and only sent if we've requested * a status request message. */ - if ((s->tlsext_status_type == -1) || (size > 0)) - { + if ((s->tlsext_status_type == -1) || (size > 0)) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } + } /* Set flag to expect CertificateStatus message */ s->tlsext_status_expected = 1; - } + } #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && - s->s3->tmp.finish_md_len == 0) - { + s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; /* We must have requested it. */ - if (s->ctx->next_proto_select_cb == NULL) - { + if (s->ctx->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; - } + } /* The data must be valid */ - if (!ssl_next_proto_validate(data, size)) - { + if (!ssl_next_proto_validate(data, size)) { *al = TLS1_AD_DECODE_ERROR; return 0; - } - if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) - { + } + if (s->ctx->next_proto_select_cb(s, &selected, &selected_len, data, size, s->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } s->next_proto_negotiated = OPENSSL_malloc(selected_len); - if (!s->next_proto_negotiated) - { + if (!s->next_proto_negotiated) { *al = TLS1_AD_INTERNAL_ERROR; return 0; - } + } memcpy(s->next_proto_negotiated, selected, selected_len); s->next_proto_negotiated_len = selected_len; s->s3->next_proto_neg_seen = 1; - } + } #endif - else if (type == TLSEXT_TYPE_renegotiate) - { - if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) + else if (type == TLSEXT_TYPE_renegotiate) { + if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) return 0; renegotiate_seen = 1; - } + } #ifndef OPENSSL_NO_HEARTBEATS - else if (type == TLSEXT_TYPE_heartbeat) - { - switch(data[0]) - { - case 0x01: /* Server allows us to send HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - break; - case 0x02: /* Server doesn't accept HB requests */ - s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; - s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; - break; - default: *al = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + else if (type == TLSEXT_TYPE_heartbeat) { + switch (data[0]) { + case 0x01: /* Server allows us to send HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + break; + case 0x02: /* Server doesn't accept HB requests */ + s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; + s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS; + break; + default: + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; } + } #endif #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) - { - if(ssl_parse_serverhello_use_srtp_ext(s, data, size, - al)) - return 0; - } + else if (type == TLSEXT_TYPE_use_srtp) { + if (ssl_parse_serverhello_use_srtp_ext(s, data, size, + al)) + return 0; + } #endif - data+=size; - } + data += size; + + } - if (data != d+n) - { + if (data != d + n) { *al = SSL_AD_DECODE_ERROR; return 0; - } + } + + if (!s->hit && tlsext_servername == 1) { + if (s->tlsext_hostname) { + if (s->session->tlsext_hostname == NULL) { + s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); - if (!s->hit && tlsext_servername == 1) - { - if (s->tlsext_hostname) - { - if (s->session->tlsext_hostname == NULL) - { - s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); - if (!s->session->tlsext_hostname) - { + if (!s->session->tlsext_hostname) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; - } } - else - { + } else { *al = SSL_AD_DECODE_ERROR; return 0; - } } } + } *p = data; @@ -1747,20 +1657,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in */ if (!renegotiate_seen && !(s->options & SSL_OP_LEGACY_SERVER_CONNECT) - && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) - { + && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, - SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); return 0; - } + } return 1; - } +} -int ssl_prepare_clienthello_tlsext(SSL *s) - { +int +ssl_prepare_clienthello_tlsext(SSL *s) +{ #ifndef OPENSSL_NO_EC /* If we are client and using an elliptic curve cryptography cipher suite, send the point formats * and elliptic curves we support. @@ -1771,63 +1681,59 @@ int ssl_prepare_clienthello_tlsext(SSL *s) unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s); - for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) - { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) { SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i); alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) - { + if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA))) { using_ecc = 1; break; - } } + } using_ecc = using_ecc && (s->version >= TLS1_VERSION); - if (using_ecc) - { - if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); - if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + if (using_ecc) { + if (s->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->tlsext_ecpointformatlist); + if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } + } s->tlsext_ecpointformatlist_length = 3; s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; /* we support all named elliptic curves in draft-ietf-tls-ecc-12 */ - if (s->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->tlsext_ellipticcurvelist); + if (s->tlsext_ellipticcurvelist != NULL) + OPENSSL_free(s->tlsext_ellipticcurvelist); s->tlsext_ellipticcurvelist_length = sizeof(pref_list)/sizeof(pref_list[0]) * 2; - if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) - { + if ((s->tlsext_ellipticcurvelist = OPENSSL_malloc(s->tlsext_ellipticcurvelist_length)) == NULL) { s->tlsext_ellipticcurvelist_length = 0; - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } - for (i = 0, j = s->tlsext_ellipticcurvelist; (unsigned int)i < - sizeof(pref_list)/sizeof(pref_list[0]); i++) - { + } + for (i = 0, j = s->tlsext_ellipticcurvelist; + (unsigned int)i < + sizeof(pref_list)/sizeof(pref_list[0]); + i++) { int id = tls1_ec_nid2curve_id(pref_list[i]); - s2n(id,j); - } + s2n(id, j); } + } #endif /* OPENSSL_NO_EC */ #ifdef TLSEXT_TYPE_opaque_prf_input - { + { int r = 1; - - if (s->ctx->tlsext_opaque_prf_input_callback != 0) - { + + if (s->ctx->tlsext_opaque_prf_input_callback != 0) { r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); if (!r) return -1; - } + } - if (s->tlsext_opaque_prf_input != NULL) - { + if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); @@ -1835,25 +1741,25 @@ int ssl_prepare_clienthello_tlsext(SSL *s) s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); - if (s->s3->client_opaque_prf_input == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + if (s->s3->client_opaque_prf_input == NULL) { + SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } - s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + s->s3->client_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + } if (r == 2) /* at callback's request, insist on receiving an appropriate server opaque PRF input */ - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; + s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } #endif return 1; - } +} -int ssl_prepare_serverhello_tlsext(SSL *s) - { +int +ssl_prepare_serverhello_tlsext(SSL *s) +{ #ifndef OPENSSL_NO_EC /* If we are server and using an ECC cipher suite, send the point formats we support * if the client sent us an ECPointsFormat extension. Note that the server is not @@ -1864,28 +1770,28 @@ int ssl_prepare_serverhello_tlsext(SSL *s) unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA); using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL); - - if (using_ecc) - { - if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist); - if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) - { - SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); + + if (using_ecc) { + if (s->tlsext_ecpointformatlist != NULL) + OPENSSL_free(s->tlsext_ecpointformatlist); + if ((s->tlsext_ecpointformatlist = OPENSSL_malloc(3)) == NULL) { + SSLerr(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT, ERR_R_MALLOC_FAILURE); return -1; - } + } s->tlsext_ecpointformatlist_length = 3; s->tlsext_ecpointformatlist[0] = TLSEXT_ECPOINTFORMAT_uncompressed; s->tlsext_ecpointformatlist[1] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; s->tlsext_ecpointformatlist[2] = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } + } #endif /* OPENSSL_NO_EC */ return 1; - } +} -int ssl_check_clienthello_tlsext_early(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; +int +ssl_check_clienthello_tlsext_early(SSL *s) +{ + int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC @@ -1897,40 +1803,36 @@ int ssl_check_clienthello_tlsext_early(SSL *s) */ #endif - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); #ifdef TLSEXT_TYPE_opaque_prf_input - { + { /* This sort of belongs into ssl_prepare_serverhello_tlsext(), * but we might be sending an alert in response to the client hello, * so this has to happen here in * ssl_check_clienthello_tlsext_early(). */ int r = 1; - - if (s->ctx->tlsext_opaque_prf_input_callback != 0) - { + + if (s->ctx->tlsext_opaque_prf_input_callback != 0) { r = s->ctx->tlsext_opaque_prf_input_callback(s, NULL, 0, s->ctx->tlsext_opaque_prf_input_callback_arg); - if (!r) - { + if (!r) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_INTERNAL_ERROR; goto err; - } } + } if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); s->s3->server_opaque_prf_input = NULL; - if (s->tlsext_opaque_prf_input != NULL) - { + if (s->tlsext_opaque_prf_input != NULL) { if (s->s3->client_opaque_prf_input != NULL && - s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len == s->tlsext_opaque_prf_input_len) { /* can only use this extension if we have a server opaque PRF input * of the same length as the client opaque PRF input! */ @@ -1938,48 +1840,48 @@ int ssl_check_clienthello_tlsext_early(SSL *s) s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ else s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_INTERNAL_ERROR; goto err; - } - s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + s->s3->server_opaque_prf_input_len = s->tlsext_opaque_prf_input_len; } + } - if (r == 2 && s->s3->server_opaque_prf_input == NULL) - { + if (r == 2 && s->s3->server_opaque_prf_input == NULL) { /* The callback wants to enforce use of the extension, * but we can't do that with the client opaque PRF input; * abort the handshake. */ ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_HANDSHAKE_FAILURE; - } + } } - err: + err: #endif - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done=0; - default: + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + default: return 1; - } } +} -int ssl_check_clienthello_tlsext_late(SSL *s) - { +int +ssl_check_clienthello_tlsext_late(SSL *s) +{ int ret = SSL_TLSEXT_ERR_OK; int al; @@ -1988,64 +1890,62 @@ int ssl_check_clienthello_tlsext_late(SSL *s) * the certificate has changed, and must be called after the cipher * has been chosen because this may influence which certificate is sent */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) - { + if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) { int r; CERT_PKEY *certpkey; certpkey = ssl_get_server_send_pkey(s); /* If no certificate can't return certificate status */ - if (certpkey == NULL) - { + if (certpkey == NULL) { s->tlsext_status_expected = 0; return 1; - } + } /* Set current certificate to one we will use so * SSL_get_certificate et al can pick it up. */ s->cert->key = certpkey; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) - { + switch (r) { /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; + case SSL_TLSEXT_ERR_NOACK: + s->tlsext_status_expected = 0; + break; /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; + case SSL_TLSEXT_ERR_OK: + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; + else + s->tlsext_status_expected = 0; + break; /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } + case SSL_TLSEXT_ERR_ALERT_FATAL: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + al = SSL_AD_INTERNAL_ERROR; + goto err; } - else + } else s->tlsext_status_expected = 0; - err: - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; +err: + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; + return -1; - default: - return 1; - } + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + default: + return 1; } +} -int ssl_check_serverhello_tlsext(SSL *s) - { - int ret=SSL_TLSEXT_ERR_NOACK; +int +ssl_check_serverhello_tlsext(SSL *s) +{ + int ret = SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC @@ -2055,105 +1955,95 @@ int ssl_check_serverhello_tlsext(SSL *s) */ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; - if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && - (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && - ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) - { + if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && + ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; list = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - { - if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) - { + for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { + if (*(list++) == TLSEXT_ECPOINTFORMAT_uncompressed) { found_uncompressed = 1; break; - } } - if (!found_uncompressed) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); + } + if (!found_uncompressed) { + SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); return -1; - } } + } ret = SSL_TLSEXT_ERR_OK; #endif /* OPENSSL_NO_EC */ - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); #ifdef TLSEXT_TYPE_opaque_prf_input - if (s->s3->server_opaque_prf_input_len > 0) - { + if (s->s3->server_opaque_prf_input_len > 0) { /* This case may indicate that we, as a client, want to insist on using opaque PRF inputs. * So first verify that we really have a value from the server too. */ - if (s->s3->server_opaque_prf_input == NULL) - { + if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_HANDSHAKE_FAILURE; - } - + } + /* Anytime the server *has* sent an opaque PRF input, we need to check * that we have a client opaque PRF input of the same size. */ if (s->s3->client_opaque_prf_input == NULL || - s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) - { + s->s3->client_opaque_prf_input_len != s->s3->server_opaque_prf_input_len) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; al = SSL_AD_ILLEGAL_PARAMETER; - } } + } #endif /* If we've requested certificate status and we wont get one * tell the callback */ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) - && s->ctx && s->ctx->tlsext_status_cb) - { + && s->ctx && s->ctx->tlsext_status_cb) { int r; /* Set resp to NULL, resplen to -1 so callback knows * there is no response. */ - if (s->tlsext_ocsp_resp) - { + if (s->tlsext_ocsp_resp) { OPENSSL_free(s->tlsext_ocsp_resp); s->tlsext_ocsp_resp = NULL; - } + } s->tlsext_ocsp_resplen = -1; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - if (r == 0) - { + if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } - if (r < 0) - { + } + if (r < 0) { al = SSL_AD_INTERNAL_ERROR; ret = SSL_TLSEXT_ERR_ALERT_FATAL; - } } + } - switch (ret) - { - case SSL_TLSEXT_ERR_ALERT_FATAL: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; + switch (ret) { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s, SSL3_AL_FATAL, al); - case SSL_TLSEXT_ERR_ALERT_WARNING: - ssl3_send_alert(s,SSL3_AL_WARNING,al); - return 1; - - case SSL_TLSEXT_ERR_NOACK: - s->servername_done=0; - default: + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s, SSL3_AL_WARNING, al); + return 1; + + + case SSL_TLSEXT_ERR_NOACK: + s->servername_done = 0; + default: return 1; - } } +} /* Since the server cache lookup is done early on in the processing of the * ClientHello, and other operations depend on the result, we need to handle @@ -2188,9 +2078,10 @@ int ssl_check_serverhello_tlsext(SSL *s) * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. * Otherwise, s->tlsext_ticket_expected is set to 0. */ -int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - const unsigned char *limit, SSL_SESSION **ret) - { +int +tls1_process_ticket(SSL *s, unsigned char *session_id, int len, + const unsigned char *limit, SSL_SESSION **ret) +{ /* Point after session ID in client hello */ const unsigned char *p = session_id + len; unsigned short i; @@ -2208,16 +2099,15 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, if (p >= limit) return -1; /* Skip past DTLS cookie */ - if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) - { + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { i = *(p++); - p+= i; + p += i; if (p >= limit) return -1; - } + } /* Skip past cipher list */ n2s(p, i); - p+= i; + p += i; if (p >= limit) return -1; /* Skip past compression algorithm list */ @@ -2229,51 +2119,46 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, if ((p + 2) >= limit) return 0; n2s(p, i); - while ((p + 4) <= limit) - { + while ((p + 4) <= limit) { unsigned short type, size; n2s(p, type); n2s(p, size); if (p + size > limit) return 0; - if (type == TLSEXT_TYPE_session_ticket) - { + if (type == TLSEXT_TYPE_session_ticket) { int r; - if (size == 0) - { + if (size == 0) { /* The client will accept a ticket but doesn't * currently have one. */ s->tlsext_ticket_expected = 1; return 1; - } - if (s->tls_session_secret_cb) - { + } + if (s->tls_session_secret_cb) { /* Indicate that the ticket couldn't be * decrypted rather than generating the session * from ticket now, trigger abbreviated * handshake based on external mechanism to * calculate the master secret later. */ return 2; - } + } r = tls_decrypt_ticket(s, p, size, session_id, len, ret); - switch (r) - { - case 2: /* ticket couldn't be decrypted */ - s->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ - s->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; - } + switch (r) { + case 2: /* ticket couldn't be decrypted */ + s->tlsext_ticket_expected = 1; + return 2; + case 3: /* ticket was decrypted */ + return r; + case 4: /* ticket decrypted but need to renew */ + s->tlsext_ticket_expected = 1; + return 3; + default: /* fatal error */ + return -1; } - p += size; } - return 0; + p += size; } + return 0; +} /* tls_decrypt_ticket attempts to decrypt a session ticket. * @@ -2290,10 +2175,10 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, * 3: a ticket was successfully decrypted and *psess was set. * 4: same as 3, but the ticket needs to be renewed. */ -static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, - const unsigned char *sess_id, int sesslen, - SSL_SESSION **psess) - { +static int +tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, + const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) +{ SSL_SESSION *sess; unsigned char *sdec; const unsigned char *p; @@ -2308,37 +2193,33 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, /* Initialize session ticket encryption and HMAC contexts */ HMAC_CTX_init(&hctx); EVP_CIPHER_CTX_init(&ctx); - if (tctx->tlsext_ticket_key_cb) - { + if (tctx->tlsext_ticket_key_cb) { unsigned char *nctick = (unsigned char *)etick; int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, - &ctx, &hctx, 0); + &ctx, &hctx, 0); if (rv < 0) return -1; if (rv == 0) return 2; if (rv == 2) renew_ticket = 1; - } - else - { + } else { /* Check key name matches */ if (memcmp(etick, tctx->tlsext_tick_key_name, 16)) return 2; HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, - tlsext_tick_md(), NULL); + tlsext_tick_md(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->tlsext_tick_aes_key, etick + 16); - } + tctx->tlsext_tick_aes_key, etick + 16); + } /* Attempt to process session ticket, first conduct sanity and * integrity checks on ticket. */ mlen = HMAC_size(&hctx); - if (mlen < 0) - { + if (mlen < 0) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; - } + } eticklen -= mlen; /* Check HMAC of encrypted ticket */ HMAC_Update(&hctx, etick, eticklen); @@ -2351,11 +2232,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); sdec = OPENSSL_malloc(eticklen); - if (!sdec) - { + if (!sdec) { EVP_CIPHER_CTX_cleanup(&ctx); return -1; - } + } EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen); if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) return 2; @@ -2365,8 +2245,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, sess = d2i_SSL_SESSION(NULL, &p, slen); OPENSSL_free(sdec); - if (sess) - { + if (sess) { /* The session ID, if non-empty, is used by some clients to * detect that the ticket has been accepted. So we copy it to * the session structure. If it is empty set length to zero @@ -2380,20 +2259,19 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, return 4; else return 3; - } - ERR_clear_error(); + } + ERR_clear_error(); /* For session parse failure, indicate that we need to send a new * ticket. */ return 2; - } +} /* Tables to translate from NIDs to TLS v1.2 ids */ -typedef struct - { +typedef struct { int nid; int id; - } tls12_lookup; +} tls12_lookup; static tls12_lookup tls12_md[] = { #ifndef OPENSSL_NO_MD5 @@ -2424,36 +2302,37 @@ static tls12_lookup tls12_sig[] = { #endif }; -static int tls12_find_id(int nid, tls12_lookup *table, size_t tlen) - { +static int +tls12_find_id(int nid, tls12_lookup *table, size_t tlen) +{ size_t i; - for (i = 0; i < tlen; i++) - { + for (i = 0; i < tlen; i++) { if (table[i].nid == nid) return table[i].id; - } - return -1; } + return -1; +} #if 0 -static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen) - { +static int +tls12_find_nid(int id, tls12_lookup *table, size_t tlen) +{ size_t i; - for (i = 0; i < tlen; i++) - { + for (i = 0; i < tlen; i++) { if (table[i].id == id) return table[i].nid; - } - return -1; } + return -1; +} #endif -int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) - { +int +tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) +{ int sig_id, md_id; if (!md) return 0; md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md)/sizeof(tls12_lookup)); + sizeof(tls12_md)/sizeof(tls12_lookup)); if (md_id == -1) return 0; sig_id = tls12_get_sigid(pk); @@ -2462,46 +2341,48 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) p[0] = (unsigned char)md_id; p[1] = (unsigned char)sig_id; return 1; - } +} -int tls12_get_sigid(const EVP_PKEY *pk) - { +int +tls12_get_sigid(const EVP_PKEY *pk) +{ return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig)/sizeof(tls12_lookup)); - } + sizeof(tls12_sig)/sizeof(tls12_lookup)); +} -const EVP_MD *tls12_get_hash(unsigned char hash_alg) - { - switch(hash_alg) - { +const EVP_MD +*tls12_get_hash(unsigned char hash_alg) +{ + switch (hash_alg) { #ifndef OPENSSL_NO_SHA - case TLSEXT_hash_sha1: + case TLSEXT_hash_sha1: return EVP_sha1(); #endif #ifndef OPENSSL_NO_SHA256 - case TLSEXT_hash_sha224: + case TLSEXT_hash_sha224: return EVP_sha224(); - case TLSEXT_hash_sha256: + case TLSEXT_hash_sha256: return EVP_sha256(); #endif #ifndef OPENSSL_NO_SHA512 - case TLSEXT_hash_sha384: + case TLSEXT_hash_sha384: return EVP_sha384(); - case TLSEXT_hash_sha512: + case TLSEXT_hash_sha512: return EVP_sha512(); #endif - default: + default: return NULL; - } } +} /* Set preferred digest for each key type */ -int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) - { +int +tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) +{ int i, idx; const EVP_MD *md; CERT *c = s->cert; @@ -2517,44 +2398,40 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; c->pkeys[SSL_PKEY_ECC].digest = NULL; - for (i = 0; i < dsize; i += 2) - { - unsigned char hash_alg = data[i], sig_alg = data[i+1]; + for (i = 0; i < dsize; i += 2) { + unsigned char hash_alg = data[i], sig_alg = data[i + 1]; - switch(sig_alg) - { + switch (sig_alg) { #ifndef OPENSSL_NO_RSA - case TLSEXT_signature_rsa: + case TLSEXT_signature_rsa: idx = SSL_PKEY_RSA_SIGN; break; #endif #ifndef OPENSSL_NO_DSA - case TLSEXT_signature_dsa: + case TLSEXT_signature_dsa: idx = SSL_PKEY_DSA_SIGN; break; #endif #ifndef OPENSSL_NO_ECDSA - case TLSEXT_signature_ecdsa: + case TLSEXT_signature_ecdsa: idx = SSL_PKEY_ECC; break; #endif - default: + default: continue; - } + } - if (c->pkeys[idx].digest == NULL) - { + if (c->pkeys[idx].digest == NULL) { md = tls12_get_hash(hash_alg); - if (md) - { + if (md) { c->pkeys[idx].digest = md; if (idx == SSL_PKEY_RSA_SIGN) c->pkeys[SSL_PKEY_RSA_ENC].digest = md; - } } - } + } + /* Set any remaining keys to default values. NOTE: if alg is not * supported it stays as NULL. @@ -2564,25 +2441,24 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) - { + if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - } + } #endif #ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif return 1; - } +} #endif #ifndef OPENSSL_NO_HEARTBEATS int tls1_process_heartbeat(SSL *s) - { +{ unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; @@ -2590,8 +2466,8 @@ tls1_process_heartbeat(SSL *s) if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); /* Read type and payload length first */ if (1 + 2 + 16 > s->s3->rrec.length) @@ -2602,8 +2478,7 @@ tls1_process_heartbeat(SSL *s) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; - if (hbtype == TLS1_HB_REQUEST) - { + if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; @@ -2613,7 +2488,7 @@ tls1_process_heartbeat(SSL *s) */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; - + /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); @@ -2626,36 +2501,33 @@ tls1_process_heartbeat(SSL *s) if (r >= 0 && s->msg_callback) s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buffer, 3 + payload + padding, - s, s->msg_callback_arg); + buffer, 3 + payload + padding, + s, s->msg_callback_arg); OPENSSL_free(buffer); if (r < 0) return r; - } - else if (hbtype == TLS1_HB_RESPONSE) - { + } else if (hbtype == TLS1_HB_RESPONSE) { unsigned int seq; - + /* We only send sequence numbers (2 bytes unsigned int), * and 16 random bytes, so we just try to read the * sequence number */ n2s(pl, seq); - - if (payload == 18 && seq == s->tlsext_hb_seq) - { + + if (payload == 18 && seq == s->tlsext_hb_seq) { s->tlsext_hb_seq++; s->tlsext_hb_pending = 0; - } } + } return 0; - } +} int tls1_heartbeat(SSL *s) - { +{ unsigned char *buf, *p; int ret; unsigned int payload = 18; /* Sequence number + random bytes */ @@ -2663,26 +2535,23 @@ tls1_heartbeat(SSL *s) /* Only send if peer supports and accepts HB requests... */ if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || - s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); + s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); return -1; - } + } /* ...and there is none in flight yet... */ - if (s->tlsext_hb_pending) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); + if (s->tlsext_hb_pending) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING); return -1; - } - + } + /* ...and no handshake in progress. */ - if (SSL_in_init(s) || s->in_handshake) - { - SSLerr(SSL_F_TLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); + if (SSL_in_init(s) || s->in_handshake) { + SSLerr(SSL_F_TLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE); return -1; - } - + } + /* Check if padding is too long, payload and padding * must not exceed 2^14 - 3 = 16381 bytes in total. */ @@ -2712,18 +2581,17 @@ tls1_heartbeat(SSL *s) RAND_pseudo_bytes(p, padding); ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); - if (ret >= 0) - { + if (ret >= 0) { if (s->msg_callback) s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buf, 3 + payload + padding, - s, s->msg_callback_arg); + buf, 3 + payload + padding, + s, s->msg_callback_arg); s->tlsext_hb_pending = 1; - } - + } + OPENSSL_free(buf); return ret; - } +} #endif diff --git a/src/lib/libssl/t1_meth.c b/src/lib/libssl/t1_meth.c index 53c807de28..ab2d789e59 100644 --- a/src/lib/libssl/t1_meth.c +++ b/src/lib/libssl/t1_meth.c @@ -60,8 +60,9 @@ #include #include "ssl_locl.h" -static const SSL_METHOD *tls1_get_method(int ver) - { +static const SSL_METHOD +*tls1_get_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_method(); if (ver == TLS1_1_VERSION) @@ -69,20 +70,13 @@ static const SSL_METHOD *tls1_get_method(int ver) if (ver == TLS1_VERSION) return TLSv1_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) + ssl3_accept, ssl3_connect, tls1_get_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) + ssl3_accept, ssl3_connect, tls1_get_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_method, - ssl3_accept, - ssl3_connect, - tls1_get_method) - + ssl3_accept, ssl3_connect, tls1_get_method) diff --git a/src/lib/libssl/t1_reneg.c b/src/lib/libssl/t1_reneg.c index 9c2cc3c712..86e0e61ffb 100644 --- a/src/lib/libssl/t1_reneg.c +++ b/src/lib/libssl/t1_reneg.c @@ -113,180 +113,170 @@ #include "ssl_locl.h" /* Add the client's renegotiation binding */ -int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) - { - if(p) - { - if((s->s3->previous_client_finished_len+1) > maxlen) - { - SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len; - p++; +int +ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, + int maxlen) +{ + if (p) { + if ((s->s3->previous_client_finished_len + 1) > maxlen) { + SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); + return 0; + } - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); + /* Length byte */ + *p = s->s3->previous_client_finished_len; + p++; + + memcpy(p, s->s3->previous_client_finished, + s->s3->previous_client_finished_len); #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by client\n", + fprintf(stderr, "%s RI extension sent by client\n", s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); #endif - } - - *len=s->s3->previous_client_finished_len + 1; + } + + *len = s->s3->previous_client_finished_len + 1; - - return 1; - } + return 1; +} /* Parse the client's renegotiation binding and abort if it's not right */ -int ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, - int *al) - { - int ilen; +int +ssl_parse_clienthello_renegotiate_ext(SSL *s, unsigned char *d, int len, + int *al) +{ + int ilen; + + /* Parse the length byte */ + if (len < 1) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + ilen = *d; + d++; - /* Parse the length byte */ - if(len < 1) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - ilen = *d; - d++; + /* Consistency check */ + if ((ilen + 1) != len) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } - /* Consistency check */ - if((ilen+1) != len) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + /* Check that the extension matches */ + if (ilen != s->s3->previous_client_finished_len) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } - /* Check that the extension matches */ - if(ilen != s->s3->previous_client_finished_len) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - - if(memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } + if (memcmp(d, s->s3->previous_client_finished, + s->s3->previous_client_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by server\n", - ilen ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension received by server\n", + ilen ? "Non-empty" : "Empty"); #endif - s->s3->send_connection_binding=1; + s->s3->send_connection_binding = 1; - return 1; - } + return 1; +} /* Add the server's renegotiation binding */ -int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, - int maxlen) - { - if(p) - { - if((s->s3->previous_client_finished_len + - s->s3->previous_server_finished_len + 1) > maxlen) - { - SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATE_EXT_TOO_LONG); - return 0; - } - - /* Length byte */ - *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - p++; +int +ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, + int maxlen) +{ + if (p) { + if ((s->s3->previous_client_finished_len + + s->s3->previous_server_finished_len + 1) > maxlen) { + SSLerr(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATE_EXT_TOO_LONG); + return 0; + } - memcpy(p, s->s3->previous_client_finished, - s->s3->previous_client_finished_len); - p += s->s3->previous_client_finished_len; + /* Length byte */ + *p = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; + p++; - memcpy(p, s->s3->previous_server_finished, - s->s3->previous_server_finished_len); + memcpy(p, s->s3->previous_client_finished, + s->s3->previous_client_finished_len); + p += s->s3->previous_client_finished_len; + + memcpy(p, s->s3->previous_server_finished, + s->s3->previous_server_finished_len); #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by server\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension sent by server\n", + s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); #endif - } - - *len=s->s3->previous_client_finished_len + } + + *len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len + 1; - - return 1; - } + + return 1; +} /* Parse the server's renegotiation binding and abort if it's not right */ -int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, - int *al) - { - int expected_len=s->s3->previous_client_finished_len +int +ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, + int *al) +{ + int expected_len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - int ilen; + int ilen; + + /* Check for logic errors */ + OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); + OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); + + /* Parse the length byte */ + if (len < 1) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + ilen = *d; + d++; - /* Check for logic errors */ - OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); - OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); - - /* Parse the length byte */ - if(len < 1) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - ilen = *d; - d++; + /* Consistency check */ + if (ilen + 1 != len) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } - /* Consistency check */ - if(ilen+1 != len) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_ENCODING_ERR); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - - /* Check that the extension matches */ - if(ilen != expected_len) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } + /* Check that the extension matches */ + if (ilen != expected_len) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } - if(memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - d += s->s3->previous_client_finished_len; + if (memcmp(d, s->s3->previous_client_finished, + s->s3->previous_client_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } + d += s->s3->previous_client_finished_len; - if(memcmp(d, s->s3->previous_server_finished, - s->s3->previous_server_finished_len)) - { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT,SSL_R_RENEGOTIATION_MISMATCH); - *al=SSL_AD_ILLEGAL_PARAMETER; - return 0; - } + if (memcmp(d, s->s3->previous_server_finished, + s->s3->previous_server_finished_len)) { + SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); + *al = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by client\n", - ilen ? "Non-empty" : "Empty"); + fprintf(stderr, "%s RI extension received by client\n", + ilen ? "Non-empty" : "Empty"); #endif - s->s3->send_connection_binding=1; + s->s3->send_connection_binding = 1; - return 1; - } + return 1; +} diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c index f1d1565769..776bcabc46 100644 --- a/src/lib/libssl/t1_srvr.c +++ b/src/lib/libssl/t1_srvr.c @@ -65,8 +65,10 @@ #include static const SSL_METHOD *tls1_get_server_method(int ver); -static const SSL_METHOD *tls1_get_server_method(int ver) - { + +static const SSL_METHOD +*tls1_get_server_method(int ver) +{ if (ver == TLS1_2_VERSION) return TLSv1_2_server_method(); if (ver == TLS1_1_VERSION) @@ -74,20 +76,13 @@ static const SSL_METHOD *tls1_get_server_method(int ver) if (ver == TLS1_VERSION) return TLSv1_server_method(); return NULL; - } +} IMPLEMENT_tls_meth_func(TLS1_2_VERSION, TLSv1_2_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) + ssl3_accept, ssl_undefined_function, tls1_get_server_method) IMPLEMENT_tls_meth_func(TLS1_1_VERSION, TLSv1_1_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) + ssl3_accept, ssl_undefined_function, tls1_get_server_method) IMPLEMENT_tls_meth_func(TLS1_VERSION, TLSv1_server_method, - ssl3_accept, - ssl_undefined_function, - tls1_get_server_method) - + ssl3_accept, ssl_undefined_function, tls1_get_server_method) -- cgit v1.2.3-55-g6feb