X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=02cf88be4579a19ffc6f787b4dbf358041f9f3bc;hp=1baf9936ba07fed0a0558df0198c0b550e18b7b0;hb=e2726ce64dc0762d9678fb10639b0f42d9abfc52;hpb=d33726b92e09605a088369d0e01c99d138c0524f;ds=sidebyside diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 1baf9936ba..02cf88be45 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -57,7 +57,7 @@ #define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) /* - * The list of available ciphers, organized into the following + * The list of available ciphers, mostly organized into the following * groups: * Always there * EC @@ -108,7 +108,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -138,7 +138,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -862,7 +862,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -924,7 +924,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1201,7 +1201,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1248,7 +1248,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1295,7 +1295,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1613,7 +1613,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM | SSL_FIPS, + SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1739,7 +1739,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -1754,7 +1754,7 @@ static SSL_CIPHER ssl3_ciphers[] = { SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, DTLS1_BAD_VER, DTLS1_2_VERSION, - SSL_MEDIUM, + SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168, @@ -2750,7 +2750,8 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { int use_context))ssl_undefined_function, 0, SSL3_HM_HEADER_LENGTH, - ssl3_set_handshake_header, + ssl3_set_handshake_header2, + tls_close_construct_packet, ssl3_handshake_write }; @@ -2776,13 +2777,18 @@ const SSL_CIPHER *ssl3_get_cipher(unsigned int u) return (NULL); } -int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) +/* + * Temporary name. To be renamed ssl3_set_handshake_header() once all WPACKET + * conversion is complete. The old ssl3_set_handshake_heder() can be deleted + * at that point. + * TODO - RENAME ME + */ +int ssl3_set_handshake_header2(SSL *s, WPACKET *pkt, int htype) { - unsigned char *p = (unsigned char *)s->init_buf->data; - *(p++) = htype; - l2n3(len, p); - s->init_num = (int)len + SSL3_HM_HEADER_LENGTH; - s->init_off = 0; + /* Set the content type and 3 bytes for the message len */ + if (!WPACKET_put_bytes_u8(pkt, htype) + || !WPACKET_start_sub_packet_u24(pkt)) + return 0; return 1; } @@ -3553,18 +3559,18 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) return cp; } -int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) +int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len) { - long l; - - if (p != NULL) { - l = c->id; - if ((l & 0xff000000) != 0x03000000) - return (0); - p[0] = ((unsigned char)(l >> 8L)) & 0xFF; - p[1] = ((unsigned char)(l)) & 0xFF; + if ((c->id & 0xff000000) != 0x03000000) { + *len = 0; + return 1; } - return (2); + + if (!WPACKET_put_bytes_u16(pkt, c->id & 0xffff)) + return 0; + + *len = 2; + return 1; } /* @@ -3690,15 +3696,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, return (ret); } -int ssl3_get_req_cert_type(SSL *s, unsigned char *p) +int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) { - int ret = 0; uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ if (s->cert->ctypes) { - memcpy(p, s->cert->ctypes, s->cert->ctype_num); - return (int)s->cert->ctype_num; + return WPACKET_memcpy(pkt, s->cert->ctypes, s->cert->ctype_num); } /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); @@ -3706,45 +3710,43 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg_k = s->s3->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST - if (s->version >= TLS1_VERSION) { - if (alg_k & SSL_kGOST) { - p[ret++] = TLS_CT_GOST01_SIGN; - p[ret++] = TLS_CT_GOST12_SIGN; - p[ret++] = TLS_CT_GOST12_512_SIGN; - return (ret); - } - } + if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST)) + return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN) + && WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN); #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { #ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_RSA - p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) + return 0; # endif # ifndef OPENSSL_NO_DSA - p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; + if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) + return 0; # endif #endif /* !OPENSSL_NO_DH */ } #ifndef OPENSSL_NO_RSA - if (!(alg_a & SSL_aRSA)) - p[ret++] = SSL3_CT_RSA_SIGN; + if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_DSA - if (!(alg_a & SSL_aDSS)) - p[ret++] = SSL3_CT_DSS_SIGN; + if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN)) + return 0; #endif #ifndef OPENSSL_NO_EC /* * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE */ - if (s->version >= TLS1_VERSION) { - if (!(alg_a & SSL_aECDSA)) - p[ret++] = TLS_CT_ECDSA_SIGN; - } + if (s->version >= TLS1_VERSION + && !(alg_a & SSL_aECDSA) + && !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN)) + return 0; #endif - return (ret); + return 1; } static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)