diff options
Diffstat (limited to 'openssl/ssl')
| -rw-r--r-- | openssl/ssl/d1_both.c | 13 | ||||
| -rw-r--r-- | openssl/ssl/d1_clnt.c | 36 | ||||
| -rw-r--r-- | openssl/ssl/d1_lib.c | 1 | ||||
| -rw-r--r-- | openssl/ssl/d1_pkt.c | 7 | ||||
| -rw-r--r-- | openssl/ssl/d1_srvr.c | 29 | ||||
| -rw-r--r-- | openssl/ssl/s23_clnt.c | 29 | ||||
| -rw-r--r-- | openssl/ssl/s3_both.c | 8 | ||||
| -rw-r--r-- | openssl/ssl/s3_cbc.c | 2 | ||||
| -rw-r--r-- | openssl/ssl/s3_clnt.c | 7 | ||||
| -rw-r--r-- | openssl/ssl/s3_lib.c | 20 | ||||
| -rw-r--r-- | openssl/ssl/s3_pkt.c | 10 | ||||
| -rw-r--r-- | openssl/ssl/s3_srvr.c | 16 | ||||
| -rw-r--r-- | openssl/ssl/ssl.h | 11 | ||||
| -rw-r--r-- | openssl/ssl/ssl3.h | 9 | ||||
| -rw-r--r-- | openssl/ssl/ssl_lib.c | 8 | ||||
| -rw-r--r-- | openssl/ssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | openssl/ssl/ssltest.c | 8 | ||||
| -rw-r--r-- | openssl/ssl/t1_enc.c | 28 | ||||
| -rw-r--r-- | openssl/ssl/t1_lib.c | 104 |
19 files changed, 262 insertions, 87 deletions
diff --git a/openssl/ssl/d1_both.c b/openssl/ssl/d1_both.c index de8bab873..7a5596a6b 100644 --- a/openssl/ssl/d1_both.c +++ b/openssl/ssl/d1_both.c @@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) static void dtls1_hm_fragment_free(hm_fragment *frag) { + + if (frag->msg_header.is_ccs) + { + EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); + EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); + } if (frag->fragment) OPENSSL_free(frag->fragment); if (frag->reassembly) OPENSSL_free(frag->reassembly); OPENSSL_free(frag); @@ -313,9 +319,10 @@ int dtls1_do_write(SSL *s, int type) s->init_off -= DTLS1_HM_HEADER_LENGTH; s->init_num += DTLS1_HM_HEADER_LENGTH; - /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ - if ( len <= DTLS1_HM_HEADER_LENGTH) - len += DTLS1_HM_HEADER_LENGTH; + if ( s->init_num > curr_mtu) + len = curr_mtu; + else + len = s->init_num; } dtls1_fix_message_header(s, frag_off, diff --git a/openssl/ssl/d1_clnt.c b/openssl/ssl/d1_clnt.c index a6ed09c51..48e5e06bd 100644 --- a/openssl/ssl/d1_clnt.c +++ b/openssl/ssl/d1_clnt.c @@ -538,13 +538,6 @@ int dtls1_connect(SSL *s) SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; -#ifndef OPENSSL_NO_SCTP - /* Change to new shared key of SCTP-Auth, - * will be ignored if no SCTP used. - */ - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); -#endif - s->state=SSL3_ST_CW_FINISHED_A; s->init_num=0; @@ -571,6 +564,16 @@ int dtls1_connect(SSL *s) goto end; } +#ifndef OPENSSL_NO_SCTP + if (s->hit) + { + /* Change to new shared key of SCTP-Auth, + * will be ignored if no SCTP used. + */ + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); + } +#endif + dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); break; @@ -613,6 +616,13 @@ int dtls1_connect(SSL *s) } else { +#ifndef OPENSSL_NO_SCTP + /* Change to new shared key of SCTP-Auth, + * will be ignored if no SCTP used. + */ + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); +#endif + #ifndef OPENSSL_NO_TLSEXT /* Allow NewSessionTicket if ticket expected */ if (s->tlsext_ticket_expected) @@ -773,7 +783,7 @@ int dtls1_client_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; unsigned int i,j; - unsigned long Time,l; + unsigned long l; SSL_COMP *comp; buf=(unsigned char *)s->init_buf->data; @@ -798,13 +808,11 @@ int dtls1_client_hello(SSL *s) /* if client_random is initialized, reuse it, we are * required to use same upon reply to HelloVerify */ - for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; + for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) + ; if (i==sizeof(s->s3->client_random)) - { - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4); - } + ssl_fill_hello_random(s, 0, p, + sizeof(s->s3->client_random)); /* Do the message type and length last */ d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c index f61f71818..106939f24 100644 --- a/openssl/ssl/d1_lib.c +++ b/openssl/ssl/d1_lib.c @@ -196,6 +196,7 @@ void dtls1_free(SSL *s) pqueue_free(s->d1->buffered_app_data.q); OPENSSL_free(s->d1); + s->d1 = NULL; } void dtls1_clear(SSL *s) diff --git a/openssl/ssl/d1_pkt.c b/openssl/ssl/d1_pkt.c index 0bf87be6d..8186462d4 100644 --- a/openssl/ssl/d1_pkt.c +++ b/openssl/ssl/d1_pkt.c @@ -847,6 +847,12 @@ start: } } + if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) + { + rr->length = 0; + goto start; + } + /* we now have a packet which can be read and processed */ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, @@ -1051,6 +1057,7 @@ start: !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && !s->s3->renegotiate) { + s->d1->handshake_read_seq++; s->new_session = 1; ssl3_renegotiate(s); if (ssl3_renegotiate_check(s)) diff --git a/openssl/ssl/d1_srvr.c b/openssl/ssl/d1_srvr.c index 29421da9a..9975e2087 100644 --- a/openssl/ssl/d1_srvr.c +++ b/openssl/ssl/d1_srvr.c @@ -276,10 +276,11 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_HELLO_REQ_B: s->shutdown=0; + dtls1_clear_record_buffer(s); dtls1_start_timer(s); ret=dtls1_send_hello_request(s); if (ret <= 0) goto end; - s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; + s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; s->state=SSL3_ST_SW_FLUSH; s->init_num=0; @@ -721,10 +722,13 @@ int dtls1_accept(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_SCTP - /* Change to new shared key of SCTP-Auth, - * will be ignored if no SCTP used. - */ - BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); + if (!s->hit) + { + /* Change to new shared key of SCTP-Auth, + * will be ignored if no SCTP used. + */ + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); + } #endif s->state=SSL3_ST_SW_FINISHED_A; @@ -749,7 +753,16 @@ int dtls1_accept(SSL *s) if (ret <= 0) goto end; s->state=SSL3_ST_SW_FLUSH; if (s->hit) + { s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; + +#ifndef OPENSSL_NO_SCTP + /* Change to new shared key of SCTP-Auth, + * will be ignored if no SCTP used. + */ + BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); +#endif + } else { s->s3->tmp.next_state=SSL_ST_OK; @@ -912,15 +925,13 @@ int dtls1_send_server_hello(SSL *s) unsigned char *p,*d; int i; unsigned int sl; - unsigned long l,Time; + unsigned long l; if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; p=s->s3->server_random; - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); + ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); /* Do the message type and length last */ d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/openssl/ssl/s23_clnt.c b/openssl/ssl/s23_clnt.c index 47673e740..84670b6c1 100644 --- a/openssl/ssl/s23_clnt.c +++ b/openssl/ssl/s23_clnt.c @@ -269,12 +269,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s) return 1; } +/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 + * on failure, 1 on success. */ +int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) + { + int send_time = 0; + + if (len < 4) + return 0; + if (server) + send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0; + else + send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; + if (send_time) + { + unsigned long Time = time(NULL); + unsigned char *p = result; + l2n(Time, p); + return RAND_pseudo_bytes(p, len-4); + } + else + return RAND_pseudo_bytes(result, len); + } + static int ssl23_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; int i,ch_len; - unsigned long Time,l; + unsigned long l; int ssl2_compat; int version = 0, version_major, version_minor; #ifndef OPENSSL_NO_COMP @@ -355,9 +378,7 @@ static int ssl23_client_hello(SSL *s) #endif p=s->s3->client_random; - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) return -1; if (version == TLS1_2_VERSION) diff --git a/openssl/ssl/s3_both.c b/openssl/ssl/s3_both.c index ead01c82a..53b9390fd 100644 --- a/openssl/ssl/s3_both.c +++ b/openssl/ssl/s3_both.c @@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i=s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.finish_md); + if (i == 0) + return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); p+=i; @@ -208,7 +210,11 @@ static void ssl3_take_mac(SSL *s) { const char *sender; int slen; - + /* If no new cipher setup return immediately: other functions will + * set the appropriate error. + */ + if (s->s3->tmp.new_cipher == NULL) + return; if (s->state & SSL_ST_CONNECT) { sender=s->method->ssl3_enc->server_finished_label; diff --git a/openssl/ssl/s3_cbc.c b/openssl/ssl/s3_cbc.c index 02edf3f91..443a31e74 100644 --- a/openssl/ssl/s3_cbc.c +++ b/openssl/ssl/s3_cbc.c @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) + if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c index 344e2eb1a..a6b3c01af 100644 --- a/openssl/ssl/s3_clnt.c +++ b/openssl/ssl/s3_clnt.c @@ -655,7 +655,7 @@ int ssl3_client_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; int i; - unsigned long Time,l; + unsigned long l; #ifndef OPENSSL_NO_COMP int j; SSL_COMP *comp; @@ -680,9 +680,8 @@ int ssl3_client_hello(SSL *s) /* else use the pre-loaded session */ p=s->s3->client_random; - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + + if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) goto err; /* Do the message type and length last */ diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c index e7c5dcb80..c4ef2738d 100644 --- a/openssl/ssl/s3_lib.c +++ b/openssl/ssl/s3_lib.c @@ -1683,7 +1683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, @@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, @@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, @@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s) s->s3->tmp.ecdh = NULL; } #endif +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + s->s3->is_probably_safari = 0; +#endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_TLSEXT */ rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; @@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ii=sk_SSL_CIPHER_find(allow,c); if (ii >= 0) { +#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) + if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) + { + if (!ret) ret=sk_SSL_CIPHER_value(allow,ii); + continue; + } +#endif ret=sk_SSL_CIPHER_value(allow,ii); break; } @@ -4274,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. long ssl_get_algorithm2(SSL *s) { long alg2 = s->s3->tmp.new_cipher->algorithm2; - if (TLS1_get_version(s) >= TLS1_2_VERSION && + if (s->method->version == TLS1_2_VERSION && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; diff --git a/openssl/ssl/s3_pkt.c b/openssl/ssl/s3_pkt.c index 804291e27..96ba63262 100644 --- a/openssl/ssl/s3_pkt.c +++ b/openssl/ssl/s3_pkt.c @@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - if ((s->version & 0xFF00) == (version & 0xFF00)) + if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) /* Send back error using their minor version number :-) */ s->version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; @@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) slen=s->method->ssl3_enc->client_finished_label_len; } - s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, + i = s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.peer_finish_md); + if (i == 0) + { + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); + return 0; + } + s->s3->tmp.peer_finish_md_len = i; return(1); } diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c index bfb848054..52efed328 100644 --- a/openssl/ssl/s3_srvr.c +++ b/openssl/ssl/s3_srvr.c @@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) (s->version != DTLS1_VERSION && s->client_version < s->version)) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + if ((s->client_version>>8) == SSL3_VERSION_MAJOR && + !s->enc_write_ctx && !s->write_hash) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; @@ -1193,12 +1194,9 @@ int ssl3_get_client_hello(SSL *s) * server_random before calling tls_session_secret_cb in order to allow * SessionTicket processing to use it in key derivation. */ { - unsigned long Time; unsigned char *pos; - Time=(unsigned long)time(NULL); /* Time */ pos=s->s3->server_random; - l2n(Time,pos); - if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) + if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) { al=SSL_AD_INTERNAL_ERROR; goto f_err; @@ -1435,19 +1433,13 @@ int ssl3_send_server_hello(SSL *s) unsigned char *p,*d; int i,sl; unsigned long l; -#ifdef OPENSSL_NO_TLSEXT - unsigned long Time; -#endif if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; #ifdef OPENSSL_NO_TLSEXT p=s->s3->server_random; - /* Generate server_random if it was not needed previously */ - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) return -1; #endif /* Do the message type and length last */ diff --git a/openssl/ssl/ssl.h b/openssl/ssl/ssl.h index 593579ed3..dece04de0 100644 --- a/openssl/ssl/ssl.h +++ b/openssl/ssl/ssl.h @@ -555,11 +555,14 @@ struct ssl_session_st #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ +#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 + /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) * the workaround is not needed. Unfortunately some broken SSL/TLS @@ -641,6 +644,12 @@ struct ssl_session_st * TLS only.) "Released" buffers are put onto a free-list in the context * or just freed (depending on the context's setting for freelist_max_len). */ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L +/* Send the current time in the Random fields of the ClientHello and + * ServerHello records for compatibility with hypothetical implementations + * that require it. + */ +#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L +#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ diff --git a/openssl/ssl/ssl3.h b/openssl/ssl/ssl3.h index 247e88c2d..cb8b2492e 100644 --- a/openssl/ssl/ssl3.h +++ b/openssl/ssl/ssl3.h @@ -539,6 +539,15 @@ typedef struct ssl3_state_st /* Set if we saw the Next Protocol Negotiation extension from our peer. */ int next_proto_neg_seen; #endif + +#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_EC + /* This is set to true if we believe that this is a version of Safari + * running on OS X 10.6 or newer. We wish to know this because Safari + * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */ + char is_probably_safari; +#endif /* !OPENSSL_NO_EC */ +#endif /* !OPENSSL_NO_TLSEXT */ } SSL3_STATE; #endif diff --git a/openssl/ssl/ssl_lib.c b/openssl/ssl/ssl_lib.c index 14d143da0..6dbc3c1f7 100644 --- a/openssl/ssl/ssl_lib.c +++ b/openssl/ssl/ssl_lib.c @@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs=NULL; - ret->comp_methods=SSL_COMP_get_compression_methods(); + /* No compression for DTLS */ + if (meth->version != DTLS1_VERSION) + ret->comp_methods=SSL_COMP_get_compression_methods(); ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; @@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->server) - return(ssl_get_server_send_cert(s)); - else if (s->cert != NULL) + if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); diff --git a/openssl/ssl/ssl_locl.h b/openssl/ssl/ssl_locl.h index 1b98947e6..e48590774 100644 --- a/openssl/ssl/ssl_locl.h +++ b/openssl/ssl/ssl_locl.h @@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; extern SSL3_ENC_METHOD SSLv3_enc_data; extern SSL3_ENC_METHOD DTLSv1_enc_data; +#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth) \ const SSL_METHOD *func_name(void) \ @@ -847,6 +849,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); void ssl_load_ciphers(void); +int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); int ssl2_enc_init(SSL *s, int client); int ssl2_generate_key_material(SSL *s); diff --git a/openssl/ssl/ssltest.c b/openssl/ssl/ssltest.c index 316bbb0c9..4f80be8ee 100644 --- a/openssl/ssl/ssltest.c +++ b/openssl/ssl/ssltest.c @@ -881,7 +881,13 @@ bad: meth=SSLv23_method(); #else #ifdef OPENSSL_NO_SSL2 - meth=SSLv3_method(); + if (tls1) + meth=TLSv1_method(); + else + if (ssl3) + meth=SSLv3_method(); + else + meth=SSLv23_method(); #else meth=SSLv2_method(); #endif diff --git a/openssl/ssl/t1_enc.c b/openssl/ssl/t1_enc.c index 809ad2ee1..56db83430 100644 --- a/openssl/ssl/t1_enc.c +++ b/openssl/ssl/t1_enc.c @@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; - if (s->enc_write_ctx != NULL) + if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) reuse_dd = 1; - else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) + else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) goto err; - else - /* make sure it's intialized in case we exit later with an error */ - EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; - mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + if (SSL_IS_DTLS(s)) + { + mac_ctx = EVP_MD_CTX_create(); + if (!mac_ctx) + goto err; + s->write_hash = mac_ctx; + } + else + mac_ctx = ssl_replace_hash(&s->write_hash,NULL); #ifndef OPENSSL_NO_COMP if (s->compress != NULL) { @@ -915,18 +920,19 @@ int tls1_final_finish_mac(SSL *s, if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); - if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; + if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; } else { - EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); - EVP_DigestFinal_ex(&ctx,q,&i); - if (i != (unsigned int)hashsize) /* can't really happen */ + if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || + !EVP_DigestFinal_ex(&ctx,q,&i) || + (i != (unsigned int)hashsize)) err = 1; - q+=i; + q+=hashsize; } } } diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c index e08088c57..33afdeba3 100644 --- a/openssl/ssl/t1_lib.c +++ b/openssl/ssl/t1_lib.c @@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = { #ifndef OPENSSL_NO_SHA tlsext_sigalg(TLSEXT_hash_sha1) #endif -#ifndef OPENSSL_NO_MD5 - tlsext_sigalg_rsa(TLSEXT_hash_md5) -#endif }; int tls12_get_req_sig_algs(SSL *s, unsigned char *p) { size_t slen = sizeof(tls12_sigalgs); -#ifdef OPENSSL_FIPS - /* If FIPS mode don't include MD5 which is last */ - if (FIPS_mode()) - slen -= 2; -#endif if (p) memcpy(p, tls12_sigalgs, slen); return (int)slen; @@ -866,6 +858,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha return ret; } +#ifndef OPENSSL_NO_EC +/* ssl_check_for_safari attempts to fingerprint Safari using OS X + * SecureTransport using the TLS extension block in |d|, of length |n|. + * Safari, since 10.6, sends exactly these extensions, in this order: + * SNI, + * elliptic_curves + * ec_point_formats + * + * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8, + * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them. + * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from + * 10.8..10.8.3 (which don't work). + */ +static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) { + unsigned short type, size; + static const unsigned char kSafariExtensionsBlock[] = { + 0x00, 0x0a, /* elliptic_curves extension */ + 0x00, 0x08, /* 8 bytes */ + 0x00, 0x06, /* 6 bytes of curve ids */ + 0x00, 0x17, /* P-256 */ + 0x00, 0x18, /* P-384 */ + 0x00, 0x19, /* P-521 */ + + 0x00, 0x0b, /* ec_point_formats */ + 0x00, 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ + }; + + /* The following is only present in TLS 1.2 */ + static const unsigned char kSafariTLS12ExtensionsBlock[] = { + 0x00, 0x0d, /* signature_algorithms */ + 0x00, 0x0c, /* 12 bytes */ + 0x00, 0x0a, /* 10 bytes */ + 0x05, 0x01, /* SHA-384/RSA */ + 0x04, 0x01, /* SHA-256/RSA */ + 0x02, 0x01, /* SHA-1/RSA */ + 0x04, 0x03, /* SHA-256/ECDSA */ + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + + if (data >= (d+n-2)) + return; + data += 2; + + if (data > (d+n-4)) + return; + n2s(data,type); + n2s(data,size); + + if (type != TLSEXT_TYPE_server_name) + return; + + if (data+size > d+n) + return; + data += size; + + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) + { + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + + if (data + len1 + len2 != d+n) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; + if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0) + return; + } + else + { + const size_t len = sizeof(kSafariExtensionsBlock); + + if (data + len != d+n) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; + } + + s->s3->is_probably_safari = 1; +} +#endif /* !OPENSSL_NO_EC */ + int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { unsigned short type; @@ -886,6 +961,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in SSL_TLSEXT_HB_DONT_SEND_REQUESTS); #endif +#ifndef OPENSSL_NO_EC + if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) + ssl_check_for_safari(s, data, d, n); +#endif /* !OPENSSL_NO_EC */ + if (data >= (d+n-2)) goto ri_check; n2s(data,len); @@ -2364,14 +2444,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg) { switch(hash_alg) { -#ifndef OPENSSL_NO_MD5 - case TLSEXT_hash_md5: -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - return NULL; -#endif - return EVP_md5(); -#endif #ifndef OPENSSL_NO_SHA case TLSEXT_hash_sha1: return EVP_sha1(); |