Update OpenSSL to 1.0.2h

This commit is contained in:
mrezai 2016-05-03 23:59:14 +04:30
parent e0d27c5523
commit ab623c923d
35 changed files with 365 additions and 153 deletions

View File

@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
} else { } else {
if (len != 0) { if (len != 0) {
if ((ret->length < len) || (ret->data == NULL)) { if ((ret->length < len) || (ret->data == NULL)) {
if (ret->data != NULL)
OPENSSL_free(ret->data);
s = (unsigned char *)OPENSSL_malloc((int)len + 1); s = (unsigned char *)OPENSSL_malloc((int)len + 1);
if (s == NULL) { if (s == NULL) {
i = ERR_R_MALLOC_FAILURE; i = ERR_R_MALLOC_FAILURE;
goto err; goto err;
} }
if (ret->data != NULL)
OPENSSL_free(ret->data);
} else } else
s = ret->data; s = ret->data;
memcpy(s, p, (int)len); memcpy(s, p, (int)len);

View File

@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
#endif #endif
#define HEADER_SIZE 8 #define HEADER_SIZE 8
#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{ {
BUF_MEM *b; BUF_MEM *b;
@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
/* suck in c.slen bytes of data */ /* suck in c.slen bytes of data */
want = c.slen; want = c.slen;
if (want > (len - off)) { if (want > (len - off)) {
size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
want -= (len - off); want -= (len - off);
if (want > INT_MAX /* BIO_read takes an int length */ || if (want > INT_MAX /* BIO_read takes an int length */ ||
len + want < len) { len + want < len) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
goto err; goto err;
} }
if (!BUF_MEM_grow_clean(b, len + want)) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
while (want > 0) { while (want > 0) {
i = BIO_read(in, &(b->data[len]), want); /*
if (i <= 0) { * Read content in chunks of increasing size
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, * so we can return an error for EOF without
ASN1_R_NOT_ENOUGH_DATA); * having to allocate the entire content length
* in one go.
*/
size_t chunk = want > chunk_max ? chunk_max : want;
if (!BUF_MEM_grow_clean(b, len + chunk)) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
want -= chunk;
while (chunk > 0) {
i = BIO_read(in, &(b->data[len]), chunk);
if (i <= 0) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
ASN1_R_NOT_ENOUGH_DATA);
goto err;
}
/* /*
* This can't overflow because |len+want| didn't * This can't overflow because |len+want| didn't
* overflow. * overflow.
*/ */
len += i; len += i;
want -= i; chunk -= i;
}
if (chunk_max < INT_MAX/2)
chunk_max *= 2;
} }
} }
if (off + c.slen < off) { if (off + c.slen < off) {

View File

@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
result = 0; /* They do not have content. */ result = 0; /* They do not have content. */
break; break;
case V_ASN1_INTEGER: case V_ASN1_INTEGER:
case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED: case V_ASN1_ENUMERATED:
case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING: case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING: case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE: case V_ASN1_SEQUENCE:

View File

@ -63,7 +63,7 @@
#include <openssl/asn1_mac.h> #include <openssl/asn1_mac.h>
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
int max); long max);
static void asn1_put_length(unsigned char **pp, int length); static void asn1_put_length(unsigned char **pp, int length);
const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT; const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
} }
*ptag = tag; *ptag = tag;
*pclass = xclass; *pclass = xclass;
if (!asn1_get_length(&p, &inf, plength, (int)max)) if (!asn1_get_length(&p, &inf, plength, max))
goto err; goto err;
if (inf && !(ret & V_ASN1_CONSTRUCTED)) if (inf && !(ret & V_ASN1_CONSTRUCTED))
@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
} }
static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
int max) long max)
{ {
const unsigned char *p = *pp; const unsigned char *p = *pp;
unsigned long ret = 0; unsigned long ret = 0;
unsigned int i; unsigned long i;
if (max-- < 1) if (max-- < 1)
return (0); return 0;
if (*p == 0x80) { if (*p == 0x80) {
*inf = 1; *inf = 1;
ret = 0; ret = 0;
@ -175,15 +175,11 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
*inf = 0; *inf = 0;
i = *p & 0x7f; i = *p & 0x7f;
if (*(p++) & 0x80) { if (*(p++) & 0x80) {
if (i > sizeof(long)) if (i > sizeof(ret) || max < (long)i)
return 0; return 0;
if (max-- == 0)
return (0);
while (i-- > 0) { while (i-- > 0) {
ret <<= 8L; ret <<= 8L;
ret |= *(p++); ret |= *(p++);
if (max-- == 0)
return (0);
} }
} else } else
ret = i; ret = i;
@ -192,7 +188,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
return 0; return 0;
*pp = p; *pp = p;
*rl = (long)ret; *rl = (long)ret;
return (1); return 1;
} }
/* /*

View File

@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0)) if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
goto end; goto end;
if (j & V_ASN1_CONSTRUCTED) { if (j & V_ASN1_CONSTRUCTED) {
const unsigned char *sp;
ep = p + len; ep = p + len;
if (BIO_write(bp, "\n", 1) <= 0) if (BIO_write(bp, "\n", 1) <= 0)
goto end; goto end;
@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
goto end; goto end;
} }
if ((j == 0x21) && (len == 0)) { if ((j == 0x21) && (len == 0)) {
sp = p;
for (;;) { for (;;) {
r = asn1_parse2(bp, &p, (long)(tot - p), r = asn1_parse2(bp, &p, (long)(tot - p),
offset + (p - *pp), depth + 1, offset + (p - *pp), depth + 1,
@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
ret = 0; ret = 0;
goto end; goto end;
} }
if ((r == 2) || (p >= tot)) if ((r == 2) || (p >= tot)) {
len = p - sp;
break; break;
}
} }
} else } else {
long tmp = len;
while (p < ep) { while (p < ep) {
r = asn1_parse2(bp, &p, (long)len, sp = p;
offset + (p - *pp), depth + 1, r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
indent, dump); indent, dump);
if (r == 0) { if (r == 0) {
ret = 0; ret = 0;
goto end; goto end;
} }
tmp -= p - sp;
} }
}
} else if (xclass != 0) { } else if (xclass != 0) {
p += len; p += len;
if (BIO_write(bp, "\n", 1) <= 0) if (BIO_write(bp, "\n", 1) <= 0)

View File

@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
goto err; goto err;
bs = X509_get_serialNumber(x); bs = X509_get_serialNumber(x);
if (bs->length <= (int)sizeof(long)) { if (bs->length < (int)sizeof(long)
|| (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
l = ASN1_INTEGER_get(bs); l = ASN1_INTEGER_get(bs);
if (bs->type == V_ASN1_NEG_INTEGER) { if (bs->type == V_ASN1_NEG_INTEGER) {
l = -l; l = -l;

View File

@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
break; break;
case V_ASN1_INTEGER: case V_ASN1_INTEGER:
case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED: case V_ASN1_ENUMERATED:
case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval; tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len)) if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err; goto err;

View File

@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
break; break;
case V_ASN1_INTEGER: case V_ASN1_INTEGER:
case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED: case V_ASN1_ENUMERATED:
case V_ASN1_NEG_ENUMERATED:
/* /*
* These are all have the same content format as ASN1_INTEGER * These are all have the same content format as ASN1_INTEGER
*/ */

View File

@ -66,6 +66,13 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
/*
* Maximum length of X509_NAME: much larger than anything we should
* ever see in practice.
*/
#define X509_NAME_MAX (1024 * 1024)
static int x509_name_ex_d2i(ASN1_VALUE **val, static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len, const unsigned char **in, long len,
const ASN1_ITEM *it, const ASN1_ITEM *it,
@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
int i, j, ret; int i, j, ret;
STACK_OF(X509_NAME_ENTRY) *entries; STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry; X509_NAME_ENTRY *entry;
if (len > X509_NAME_MAX) {
ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
return 0;
}
q = p; q = p;
/* Get internal representation of Name */ /* Get internal representation of Name */

View File

@ -201,10 +201,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
int i2d_X509_AUX(X509 *a, unsigned char **pp) int i2d_X509_AUX(X509 *a, unsigned char **pp)
{ {
int length; int length, tmplen;
unsigned char *start = pp != NULL ? *pp : NULL;
length = i2d_X509(a, pp); length = i2d_X509(a, pp);
if (a) if (length < 0 || a == NULL)
length += i2d_X509_CERT_AUX(a->aux, pp); return length;
tmplen = i2d_X509_CERT_AUX(a->aux, pp);
if (tmplen < 0) {
if (start != NULL)
*pp = start;
return tmplen;
}
length += tmplen;
return length; return length;
} }

View File

@ -212,8 +212,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
} }
#endif #endif
if (ctx->digest != type) { if (ctx->digest != type) {
if (ctx->digest && ctx->digest->ctx_size) if (ctx->digest && ctx->digest->ctx_size) {
OPENSSL_free(ctx->md_data); OPENSSL_free(ctx->md_data);
ctx->md_data = NULL;
}
ctx->digest = type; ctx->digest = type;
if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
ctx->update = type->update; ctx->update = type->update;

View File

@ -60,6 +60,7 @@
# include <openssl/sha.h> # include <openssl/sha.h>
# include <openssl/rand.h> # include <openssl/rand.h>
# include "modes_lcl.h" # include "modes_lcl.h"
# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER # ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@ -578,6 +579,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255; maxpad &= 255;
ret &= constant_time_ge(maxpad, pad);
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask; inp_len &= mask;

View File

@ -60,6 +60,7 @@
# include <openssl/sha.h> # include <openssl/sha.h>
# include <openssl/rand.h> # include <openssl/rand.h>
# include "modes_lcl.h" # include "modes_lcl.h"
# include "constant_time_locl.h"
# ifndef EVP_CIPH_FLAG_AEAD_CIPHER # ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@ -589,6 +590,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255; maxpad &= 255;
ret &= constant_time_ge(maxpad, pad);
inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1); inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask; inp_len &= mask;

View File

@ -57,6 +57,7 @@
*/ */
#include <stdio.h> #include <stdio.h>
#include <limits.h>
#include "cryptlib.h" #include "cryptlib.h"
#include <openssl/evp.h> #include <openssl/evp.h>
@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl) const unsigned char *in, int inl)
{ {
int i, j; int i, j;
unsigned int total = 0; size_t total = 0;
*outl = 0; *outl = 0;
if (inl <= 0) if (inl <= 0)
return; return;
OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
if ((ctx->num + inl) < ctx->length) { if (ctx->length - ctx->num > inl) {
memcpy(&(ctx->enc_data[ctx->num]), in, inl); memcpy(&(ctx->enc_data[ctx->num]), in, inl);
ctx->num += inl; ctx->num += inl;
return; return;
@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
*out = '\0'; *out = '\0';
total = j + 1; total = j + 1;
} }
while (inl >= ctx->length) { while (inl >= ctx->length && total <= INT_MAX) {
j = EVP_EncodeBlock(out, in, ctx->length); j = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length; in += ctx->length;
inl -= ctx->length; inl -= ctx->length;
@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
*out = '\0'; *out = '\0';
total += j + 1; total += j + 1;
} }
if (total > INT_MAX) {
/* Too much output data! */
*outl = 0;
return;
}
if (inl != 0) if (inl != 0)
memcpy(&(ctx->enc_data[0]), in, inl); memcpy(&(ctx->enc_data[0]), in, inl);
ctx->num = inl; ctx->num = inl;

View File

@ -347,7 +347,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
bl = ctx->cipher->block_size; bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) { if (i != 0) {
if (i + inl < bl) { if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl); memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl; ctx->buf_len += inl;
*outl = 0; *outl = 0;

View File

@ -348,7 +348,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
if (enc != NULL) { if (enc != NULL) {
objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc)); objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
if (objstr == NULL) { if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER); PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER);
goto err; goto err;
} }

View File

@ -131,6 +131,10 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
# define MS_PVKMAGIC 0xb0b5f11eL # define MS_PVKMAGIC 0xb0b5f11eL
/* Salt length for PVK files */ /* Salt length for PVK files */
# define PVK_SALTLEN 0x10 # define PVK_SALTLEN 0x10
/* Maximum length in PVK header */
# define PVK_MAX_KEYLEN 102400
/* Maximum salt length */
# define PVK_MAX_SALTLEN 10240
static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
unsigned int bitlen, int ispub); unsigned int bitlen, int ispub);
@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
*psaltlen = read_ledword(&p); *psaltlen = read_ledword(&p);
*pkeylen = read_ledword(&p); *pkeylen = read_ledword(&p);
if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
return 0;
if (is_encrypted && !*psaltlen) { if (is_encrypted && !*psaltlen) {
PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
return 0; return 0;

View File

@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"}, {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
{ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"}, {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"}, {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
{ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
{ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"}, {ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"},
{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
"no cert set for us to verify"}, "no cert set for us to verify"},

View File

@ -63,6 +63,13 @@
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/buffer.h> #include <openssl/buffer.h>
/*
* Limit to ensure we don't overflow: much greater than
* anything enountered in practice.
*/
#define NAME_ONELINE_MAX (1024 * 1024)
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{ {
X509_NAME_ENTRY *ne; X509_NAME_ENTRY *ne;
@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
goto err; goto err;
b->data[0] = '\0'; b->data[0] = '\0';
len = 200; len = 200;
} else if (len == 0) {
return NULL;
} }
if (a == NULL) { if (a == NULL) {
if (b) { if (b) {
@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type; type = ne->value->type;
num = ne->value->length; num = ne->value->length;
if (num > NAME_ONELINE_MAX) {
X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
goto end;
}
q = ne->value->data; q = ne->value->data;
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING || if (type == V_ASN1_GENERALSTRING ||
@ -117,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type == V_ASN1_PRINTABLESTRING || type == V_ASN1_PRINTABLESTRING ||
type == V_ASN1_TELETEXSTRING || type == V_ASN1_TELETEXSTRING ||
type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) if (num > (int)sizeof(ebcdic_buf))
? sizeof ebcdic_buf : num); num = sizeof(ebcdic_buf);
ascii2ebcdic(ebcdic_buf, q, num);
q = ebcdic_buf; q = ebcdic_buf;
} }
#endif #endif
@ -154,6 +168,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l; lold = l;
l += 1 + l1 + 1 + l2; l += 1 + l1 + 1 + l2;
if (l > NAME_ONELINE_MAX) {
X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
goto end;
}
if (b != NULL) { if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1)) if (!BUF_MEM_grow(b, l + 1))
goto err; goto err;
@ -206,7 +224,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p); return (p);
err: err:
X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE); X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
if (b != NULL) end:
BUF_MEM_free(b); BUF_MEM_free(b);
return (NULL); return (NULL);
} }

View File

@ -4,6 +4,10 @@
# include <openssl/crypto.h> # include <openssl/crypto.h>
# ifdef OPENSSL_NO_COMP
# error COMP is disabled.
# endif
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif

View File

@ -3,6 +3,10 @@
//sorry godot needs a single file for multiple builds //sorry godot needs a single file for multiple builds
#ifdef __cplusplus
extern "C" {
#endif
// Check windows // Check windows
#ifdef USE_64BITS #ifdef USE_64BITS
@ -41,6 +45,9 @@
#ifndef OPENSSL_NO_KRB5 #ifndef OPENSSL_NO_KRB5
# define OPENSSL_NO_KRB5 # define OPENSSL_NO_KRB5
#endif #endif
#ifndef OPENSSL_NO_LIBUNBOUND
# define OPENSSL_NO_LIBUNBOUND
#endif
#ifndef OPENSSL_NO_MD2 #ifndef OPENSSL_NO_MD2
# define OPENSSL_NO_MD2 # define OPENSSL_NO_MD2
#endif #endif
@ -53,9 +60,21 @@
#ifndef OPENSSL_NO_SCTP #ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP
#endif #endif
#ifndef OPENSSL_NO_SSL_TRACE
# define OPENSSL_NO_SSL_TRACE
#endif
#ifndef OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL2
#endif
#ifndef OPENSSL_NO_STORE #ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE # define OPENSSL_NO_STORE
#endif #endif
#ifndef OPENSSL_NO_UNIT_TEST
# define OPENSSL_NO_UNIT_TEST
#endif
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS
#endif
#endif /* OPENSSL_DOING_MAKEDEPEND */ #endif /* OPENSSL_DOING_MAKEDEPEND */
@ -83,6 +102,9 @@
# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) # if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5)
# define NO_KRB5 # define NO_KRB5
# endif # endif
# if defined(OPENSSL_NO_LIBUNBOUND) && !defined(NO_LIBUNBOUND)
# define NO_LIBUNBOUND
# endif
# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2) # if defined(OPENSSL_NO_MD2) && !defined(NO_MD2)
# define NO_MD2 # define NO_MD2
# endif # endif
@ -95,9 +117,21 @@
# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) # if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP)
# define NO_SCTP # define NO_SCTP
# endif # endif
# if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE)
# define NO_SSL_TRACE
# endif
# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE # define NO_STORE
# endif # endif
# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
# define NO_UNIT_TEST
# endif
# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
# define NO_WEAK_SSL_CIPHERS
# endif
#endif #endif
//#define OPENSSL_CPUID_OBJ //#define OPENSSL_CPUID_OBJ
@ -278,3 +312,6 @@
#endif /* DES_DEFAULT_OPTIONS */ #endif /* DES_DEFAULT_OPTIONS */
#endif /* HEADER_DES_LOCL_H */ #endif /* HEADER_DES_LOCL_H */
#ifdef __cplusplus
}
#endif

View File

@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1000207fL # define OPENSSL_VERSION_NUMBER 0x1000208fL
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g-fips 1 Mar 2016" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h-fips 3 May 2016"
# else # else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2g 1 Mar 2016" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2h 3 May 2016"
# endif # endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

View File

@ -338,7 +338,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when * The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'. * an application-defined cipher list string starts with 'DEFAULT'.
*/ */
# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" # define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/* /*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is * starts with a reasonable order, and all we have to do for DEFAULT is
@ -2345,7 +2345,7 @@ const char *SSL_get_version(const SSL *s);
/* This sets the 'default' SSL version that SSL_new() will create */ /* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth); int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
# ifndef OPENSSL_NO_SSL2 # ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */ const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */

View File

@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
# define X509_R_LOADING_CERT_DIR 103 # define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104 # define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124 # define X509_R_METHOD_NOT_SUPPORTED 124
# define X509_R_NAME_TOO_LONG 134
# define X509_R_NEWER_CRL_NOT_NEWER 132 # define X509_R_NEWER_CRL_NOT_NEWER 132
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_NO_CRL_NUMBER 130 # define X509_R_NO_CRL_NUMBER 130

View File

@ -1459,6 +1459,8 @@ int dtls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding * plus 2 bytes payload length, plus payload, plus padding
*/ */
buffer = OPENSSL_malloc(write_length); buffer = OPENSSL_malloc(write_length);
if (buffer == NULL)
return -1;
bp = buffer; bp = buffer;
/* Enter response type, length and copy payload */ /* Enter response type, length and copy payload */

View File

@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC, SSL2_CF_5_BYTE_ENC,
40, 40,
128, 128,
@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC, SSL2_CF_5_BYTE_ENC,
40, 40,
128, 128,
@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_IDEA, SSL_IDEA,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0, 0,
128, 128,
128, 128,
@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
0, 0,
56, 56,
56, 56,
@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
0, 0,
112, 112,
168, 168,
@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV2, SSL_SSLV2,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL2_CF_8_BYTE_ENC, SSL2_CF_8_BYTE_ENC,
64, 64,
64, 64,

View File

@ -57,7 +57,8 @@
*/ */
#include "ssl_locl.h" #include "ssl_locl.h"
#ifndef OPENSSL_NO_SSL2 #ifndef OPENSSL_NO_SSL2_METHOD
# ifndef OPENSSL_NO_SSL2
# include <stdio.h> # include <stdio.h>
# include <openssl/objects.h> # include <openssl/objects.h>
@ -72,7 +73,16 @@ static const SSL_METHOD *ssl2_get_method(int ver)
IMPLEMENT_ssl2_meth_func(SSLv2_method, IMPLEMENT_ssl2_meth_func(SSLv2_method,
ssl2_accept, ssl2_connect, ssl2_get_method) ssl2_accept, ssl2_connect, ssl2_get_method)
#else /* !OPENSSL_NO_SSL2 */
# else /* !OPENSSL_NO_SSL2 */
const SSL_METHOD *SSLv2_method(void) { return NULL; }
const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
# endif
#else /* !OPENSSL_NO_SSL2_METHOD */
# if PEDANTIC # if PEDANTIC
static void *dummy = &dummy; static void *dummy = &dummy;

View File

@ -2199,6 +2199,7 @@ int ssl3_get_certificate_request(SSL *s)
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
xn = NULL;
p += l; p += l;
nc += l + 2; nc += l + 2;
@ -2222,6 +2223,7 @@ int ssl3_get_certificate_request(SSL *s)
err: err:
s->state = SSL_ST_ERR; s->state = SSL_ST_ERR;
done: done:
X509_NAME_free(xn);
if (ca_sk != NULL) if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret); return (ret);

View File

@ -208,7 +208,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -258,7 +258,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -294,7 +294,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -312,7 +312,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -347,7 +347,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -365,7 +365,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -399,7 +399,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -417,7 +417,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -452,7 +452,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -470,7 +470,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -556,7 +556,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -573,7 +573,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -590,7 +590,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -608,7 +608,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -625,7 +625,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -695,7 +695,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -761,7 +761,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_NOT_EXP | SSL_LOW, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -827,7 +827,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -845,7 +845,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -863,7 +863,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -881,7 +881,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
56, 56,
@ -899,7 +899,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -917,7 +917,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_SSLV3, SSL_SSLV3,
SSL_EXPORT | SSL_EXP40, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40, 40,
128, 128,
@ -1011,7 +1011,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1106,7 +1106,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1302,7 +1302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA128, SSL_CAMELLIA128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1322,7 +1322,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_MD5, SSL_MD5,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1338,7 +1338,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC2, SSL_RC2,
SSL_MD5, SSL_MD5,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1356,7 +1356,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -1374,7 +1374,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_DES, SSL_DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
56, 56,
@ -1392,7 +1392,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1410,7 +1410,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_EXPORT | SSL_EXP56, SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56, 56,
128, 128,
@ -1525,7 +1525,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -1541,7 +1541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA256, SSL_SHA256,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1694,7 +1694,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_CAMELLIA256, SSL_CAMELLIA256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,
@ -1860,7 +1860,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_SEED, SSL_SEED,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2040,7 +2040,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128GCM, SSL_AES128GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128, 128,
128, 128,
@ -2056,7 +2056,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256GCM, SSL_AES256GCM,
SSL_AEAD, SSL_AEAD,
SSL_TLSV1_2, SSL_TLSV1_2,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256, 256,
256, 256,
@ -2424,7 +2424,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4, SSL_RC4,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_MEDIUM, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2440,7 +2440,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_3DES, SSL_3DES,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112, 112,
168, 168,
@ -2456,7 +2456,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES128, SSL_AES128,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128, 128,
128, 128,
@ -2472,7 +2472,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
SSL_AES256, SSL_AES256,
SSL_SHA1, SSL_SHA1,
SSL_TLSV1, SSL_TLSV1,
SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256, 256,
256, 256,

View File

@ -504,6 +504,8 @@ void ssl_cert_free(CERT *c)
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
custom_exts_free(&c->cli_ext); custom_exts_free(&c->cli_ext);
custom_exts_free(&c->srv_ext); custom_exts_free(&c->srv_ext);
if (c->alpn_proposed)
OPENSSL_free(c->alpn_proposed);
#endif #endif
OPENSSL_free(c); OPENSSL_free(c);
} }
@ -1057,13 +1059,18 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
unsigned char *p; unsigned char *p;
n = i2d_X509(x, NULL); n = i2d_X509(x, NULL);
if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {
SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB); SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
return 0; return 0;
} }
p = (unsigned char *)&(buf->data[*l]); p = (unsigned char *)&(buf->data[*l]);
l2n3(n, p); l2n3(n, p);
i2d_X509(x, &p); n = i2d_X509(x, &p);
if (n < 0) {
/* Shouldn't happen */
SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
return 0;
}
*l += n + 3; *l += n + 3;
return 1; return 1;

View File

@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] = {
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!) * ALL!)
*/ */
{0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
SSL_EXP_MASK, 0, 0, 0},
/* /*
* key exchange aliases (some of those using only a single bit here * key exchange aliases (some of those using only a single bit here
@ -1030,10 +1029,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if (cipher_id && cipher_id != cp->id) if (cipher_id && cipher_id != cp->id)
continue; continue;
#endif #endif
if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
goto ok;
if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue; continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth)) if (alg_auth && !(alg_auth & cp->algorithm_auth))
@ -1050,10 +1045,11 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
if ((algo_strength & SSL_STRONG_MASK) if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue; continue;
if ((algo_strength & SSL_NOT_DEFAULT)
&& !(cp->algo_strength & SSL_NOT_DEFAULT))
continue;
} }
ok:
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule); fprintf(stderr, "Action = %d\n", rule);
#endif #endif
@ -1337,6 +1333,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
ca_list[j]->algo_strength & SSL_STRONG_MASK; ca_list[j]->algo_strength & SSL_STRONG_MASK;
} }
if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
algo_strength |= SSL_NOT_DEFAULT;
}
if (ca_list[j]->valid) { if (ca_list[j]->valid) {
/* /*
* explicit ciphersuite found; its protocol version does not * explicit ciphersuite found; its protocol version does not

View File

@ -244,7 +244,16 @@ int SSL_clear(SSL *s)
ssl_clear_hash_ctx(&s->write_hash); ssl_clear_hash_ctx(&s->write_hash);
s->first_packet = 0; s->first_packet = 0;
#ifndef OPENSSL_NO_TLSEXT
if (s->cert != NULL) {
if (s->cert->alpn_proposed) {
OPENSSL_free(s->cert->alpn_proposed);
s->cert->alpn_proposed = NULL;
}
s->cert->alpn_proposed_len = 0;
s->cert->alpn_sent = 0;
}
#endif
#if 1 #if 1
/* /*
* Check to see if we were changed into a different method, if so, revert * Check to see if we were changed into a different method, if so, revert
@ -3174,6 +3183,12 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen; ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
ocert->ciphers_raw = NULL; ocert->ciphers_raw = NULL;
} }
#ifndef OPENSSL_NO_TLSEXT
ssl->cert->alpn_proposed = ocert->alpn_proposed;
ssl->cert->alpn_proposed_len = ocert->alpn_proposed_len;
ocert->alpn_proposed = NULL;
ssl->cert->alpn_sent = ocert->alpn_sent;
#endif
ssl_cert_free(ocert); ssl_cert_free(ocert);
} }

View File

@ -436,8 +436,9 @@
# define SSL_MEDIUM 0x00000040L # define SSL_MEDIUM 0x00000040L
# define SSL_HIGH 0x00000080L # define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L # define SSL_FIPS 0x00000100L
# define SSL_NOT_DEFAULT 0x00000200L
/* we have used 000001ff - 23 bits left to go */ /* we have used 000003ff - 22 bits left to go */
/*- /*-
* Macros to check the export status and cipher strength for export ciphers. * Macros to check the export status and cipher strength for export ciphers.
@ -687,6 +688,10 @@ typedef struct cert_st {
custom_ext_methods cli_ext; custom_ext_methods cli_ext;
custom_ext_methods srv_ext; custom_ext_methods srv_ext;
int references; /* >1 only if SSL_copy_session_id is used */ int references; /* >1 only if SSL_copy_session_id is used */
/* non-optimal, but here due to compatibility */
unsigned char *alpn_proposed; /* server */
unsigned int alpn_proposed_len;
int alpn_sent; /* client */
} CERT; } CERT;
typedef struct sess_cert_st { typedef struct sess_cert_st {

View File

@ -841,7 +841,7 @@ static int serverinfo_srv_add_cb(SSL *s, unsigned int ext_type,
return 0; /* No extension found, don't send extension */ return 0; /* No extension found, don't send extension */
return 1; /* Send extension */ return 1; /* Send extension */
} }
return -1; /* No serverinfo data found, don't send return 0; /* No serverinfo data found, don't send
* extension */ * extension */
} }
@ -870,12 +870,26 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo,
/* Register callbacks for extensions */ /* Register callbacks for extensions */
ext_type = (serverinfo[0] << 8) + serverinfo[1]; ext_type = (serverinfo[0] << 8) + serverinfo[1];
if (ctx && !SSL_CTX_add_server_custom_ext(ctx, ext_type, if (ctx) {
serverinfo_srv_add_cb, int have_ext_cbs = 0;
NULL, NULL, size_t i;
serverinfo_srv_parse_cb, custom_ext_methods *exts = &ctx->cert->srv_ext;
NULL)) custom_ext_method *meth = exts->meths;
return 0;
for (i = 0; i < exts->meths_count; i++, meth++) {
if (ext_type == meth->ext_type) {
have_ext_cbs = 1;
break;
}
}
if (!have_ext_cbs && !SSL_CTX_add_server_custom_ext(ctx, ext_type,
serverinfo_srv_add_cb,
NULL, NULL,
serverinfo_srv_parse_cb,
NULL))
return 0;
}
serverinfo += 2; serverinfo += 2;
serverinfo_length -= 2; serverinfo_length -= 2;

View File

@ -1539,6 +1539,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
s2n(s->alpn_client_proto_list_len, ret); s2n(s->alpn_client_proto_list_len, ret);
memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len); memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
ret += s->alpn_client_proto_list_len; ret += s->alpn_client_proto_list_len;
s->cert->alpn_sent = 1;
} }
# ifndef OPENSSL_NO_SRTP # ifndef OPENSSL_NO_SRTP
if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
@ -1906,7 +1907,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
# endif /* !OPENSSL_NO_EC */ # endif /* !OPENSSL_NO_EC */
/* /*
* tls1_alpn_handle_client_hello is called to process the ALPN extension in a * tls1_alpn_handle_client_hello is called to save the ALPN extension in a
* ClientHello. data: the contents of the extension, not including the type * ClientHello. data: the contents of the extension, not including the type
* and length. data_len: the number of bytes in |data| al: a pointer to the * and length. data_len: the number of bytes in |data| al: a pointer to the
* alert value to send in the event of a non-zero return. returns: 0 on * alert value to send in the event of a non-zero return. returns: 0 on
@ -1917,12 +1918,6 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
{ {
unsigned i; unsigned i;
unsigned proto_len; unsigned proto_len;
const unsigned char *selected;
unsigned char selected_len;
int r;
if (s->ctx->alpn_select_cb == NULL)
return 0;
if (data_len < 2) if (data_len < 2)
goto parse_error; goto parse_error;
@ -1953,19 +1948,15 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
i += proto_len; i += proto_len;
} }
r = s->ctx->alpn_select_cb(s, &selected, &selected_len, data, data_len, if (s->cert->alpn_proposed != NULL)
s->ctx->alpn_select_cb_arg); OPENSSL_free(s->cert->alpn_proposed);
if (r == SSL_TLSEXT_ERR_OK) { s->cert->alpn_proposed = OPENSSL_malloc(data_len);
if (s->s3->alpn_selected) if (s->cert->alpn_proposed == NULL) {
OPENSSL_free(s->s3->alpn_selected); *al = SSL_AD_INTERNAL_ERROR;
s->s3->alpn_selected = OPENSSL_malloc(selected_len); return -1;
if (!s->s3->alpn_selected) {
*al = SSL_AD_INTERNAL_ERROR;
return -1;
}
memcpy(s->s3->alpn_selected, selected, selected_len);
s->s3->alpn_selected_len = selected_len;
} }
memcpy(s->cert->alpn_proposed, data, data_len);
s->cert->alpn_proposed_len = data_len;
return 0; return 0;
parse_error: parse_error:
@ -1973,6 +1964,43 @@ static int tls1_alpn_handle_client_hello(SSL *s, const unsigned char *data,
return -1; return -1;
} }
/*
* Process the ALPN extension in a ClientHello.
* ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_*
* al: a pointer to the alert value to send in the event of a failure.
* returns 1 on success, 0 on failure: al/ret set only on failure
*/
static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
{
const unsigned char *selected = NULL;
unsigned char selected_len = 0;
if (s->ctx->alpn_select_cb != NULL && s->cert->alpn_proposed != NULL) {
int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
s->cert->alpn_proposed,
s->cert->alpn_proposed_len,
s->ctx->alpn_select_cb_arg);
if (r == SSL_TLSEXT_ERR_OK) {
OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = OPENSSL_malloc(selected_len);
if (s->s3->alpn_selected == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
*ret = SSL_TLSEXT_ERR_ALERT_FATAL;
return 0;
}
memcpy(s->s3->alpn_selected, selected, selected_len);
s->s3->alpn_selected_len = selected_len;
# ifndef OPENSSL_NO_NEXTPROTONEG
/* ALPN takes precedence over NPN. */
s->s3->next_proto_neg_seen = 0;
# endif
}
}
return 1;
}
static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
unsigned char *limit, int *al) unsigned char *limit, int *al)
{ {
@ -1992,6 +2020,12 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
OPENSSL_free(s->s3->alpn_selected); OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = NULL; s->s3->alpn_selected = NULL;
} }
s->s3->alpn_selected_len = 0;
if (s->cert->alpn_proposed) {
OPENSSL_free(s->cert->alpn_proposed);
s->cert->alpn_proposed = NULL;
}
s->cert->alpn_proposed_len = 0;
# ifndef OPENSSL_NO_HEARTBEATS # ifndef OPENSSL_NO_HEARTBEATS
s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED | s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
SSL_TLSEXT_HB_DONT_SEND_REQUESTS); SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
@ -2359,8 +2393,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
# endif # endif
# ifndef OPENSSL_NO_NEXTPROTONEG # ifndef OPENSSL_NO_NEXTPROTONEG
else if (type == TLSEXT_TYPE_next_proto_neg && else if (type == TLSEXT_TYPE_next_proto_neg &&
s->s3->tmp.finish_md_len == 0 && s->s3->tmp.finish_md_len == 0) {
s->s3->alpn_selected == NULL) {
/*- /*-
* We shouldn't accept this extension on a * We shouldn't accept this extension on a
* renegotiation. * renegotiation.
@ -2383,13 +2416,9 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
# endif # endif
else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation && else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation &&
s->ctx->alpn_select_cb && s->s3->tmp.finish_md_len == 0) { s->s3->tmp.finish_md_len == 0) {
if (tls1_alpn_handle_client_hello(s, data, size, al) != 0) if (tls1_alpn_handle_client_hello(s, data, size, al) != 0)
return 0; return 0;
# ifndef OPENSSL_NO_NEXTPROTONEG
/* ALPN takes precedence over NPN. */
s->s3->next_proto_neg_seen = 0;
# endif
} }
/* session ticket processed earlier */ /* session ticket processed earlier */
@ -2698,7 +2727,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
unsigned len; unsigned len;
/* We must have requested it. */ /* We must have requested it. */
if (s->alpn_client_proto_list == NULL) { if (!s->cert->alpn_sent) {
*al = TLS1_AD_UNSUPPORTED_EXTENSION; *al = TLS1_AD_UNSUPPORTED_EXTENSION;
return 0; return 0;
} }
@ -2863,6 +2892,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
} }
# endif # endif
s->cert->alpn_sent = 0;
return 1; return 1;
} }
@ -3066,6 +3096,10 @@ int ssl_check_clienthello_tlsext_late(SSL *s)
} else } else
s->tlsext_status_expected = 0; s->tlsext_status_expected = 0;
if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) {
goto err;
}
err: err:
switch (ret) { switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL: case SSL_TLSEXT_ERR_ALERT_FATAL:
@ -3415,8 +3449,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
sdec = OPENSSL_malloc(eticklen); sdec = OPENSSL_malloc(eticklen);
if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { if (sdec == NULL
|| EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
EVP_CIPHER_CTX_cleanup(&ctx); EVP_CIPHER_CTX_cleanup(&ctx);
OPENSSL_free(sdec);
return -1; return -1;
} }
if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) { if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
@ -3856,6 +3892,8 @@ int tls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding * plus 2 bytes payload length, plus payload, plus padding
*/ */
buffer = OPENSSL_malloc(1 + 2 + payload + padding); buffer = OPENSSL_malloc(1 + 2 + payload + padding);
if (buffer == NULL)
return -1;
bp = buffer; bp = buffer;
/* Enter response type, length and copy payload */ /* Enter response type, length and copy payload */