projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Require ServerInfo PEMs to be named "BEGIN SERVERINFO FOR"...
[openssl.git]
/
ssl
/
s3_lib.c
diff --git
a/ssl/s3_lib.c
b/ssl/s3_lib.c
index 2fe30d77a63c823a270a44d2def4ee4dacf98fa2..618f53d73d46b372fa4934adce62f7d1aac00c7b 100644
(file)
--- a/
ssl/s3_lib.c
+++ b/
ssl/s3_lib.c
@@
-3020,12
+3020,17
@@
void ssl3_free(SSL *s)
BIO_free(s->s3->handshake_buffer);
}
if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
BIO_free(s->s3->handshake_buffer);
}
if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
+#ifndef OPENSSL_NO_TLSEXT
+ if (s->s3->alpn_selected)
+ OPENSSL_free(s->s3->alpn_selected);
+#endif
+
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
#ifndef OPENSSL_NO_TLSEXT
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
#ifndef OPENSSL_NO_TLSEXT
- if (s->s3->tlsext_
authz_client
_types != NULL)
- OPENSSL_free(s->s3->tlsext_
authz_client
_types);
+ if (s->s3->tlsext_
custom
_types != NULL)
+ OPENSSL_free(s->s3->tlsext_
custom
_types);
#endif
OPENSSL_cleanse(s->s3,sizeof *s->s3);
OPENSSL_free(s->s3);
#endif
OPENSSL_cleanse(s->s3,sizeof *s->s3);
OPENSSL_free(s->s3);
@@
-3071,12
+3076,16
@@
void ssl3_clear(SSL *s)
}
#endif
#ifndef OPENSSL_NO_TLSEXT
}
#endif
#ifndef OPENSSL_NO_TLSEXT
- if (s->s3->tlsext_
authz_client
_types != NULL)
+ if (s->s3->tlsext_
custom
_types != NULL)
{
{
- OPENSSL_free(s->s3->tlsext_
authz_client
_types);
- s->s3->tlsext_
authz_client
_types = NULL;
+ OPENSSL_free(s->s3->tlsext_
custom
_types);
+ s->s3->tlsext_
custom
_types = NULL;
}
}
-#endif
+ s->s3->tlsext_custom_types_count = 0;
+#ifndef OPENSSL_NO_EC
+ s->s3->is_probably_safari = 0;
+#endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_TLSEXT */
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
@@
-3090,6
+3099,14
@@
void ssl3_clear(SSL *s)
if (s->s3->handshake_dgst) {
ssl3_free_digest_list(s);
}
if (s->s3->handshake_dgst) {
ssl3_free_digest_list(s);
}
+
+#if !defined(OPENSSL_NO_TLSEXT)
+ if (s->s3->alpn_selected)
+ {
+ free(s->s3->alpn_selected);
+ s->s3->alpn_selected = NULL;
+ }
+#endif
memset(s->s3,0,sizeof *s->s3);
s->s3->rbuf.buf = rp;
s->s3->wbuf.buf = wp;
memset(s->s3,0,sizeof *s->s3);
s->s3->rbuf.buf = rp;
s->s3->wbuf.buf = wp;
@@
-3372,7
+3389,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_HEARTBEATS
case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
#ifndef OPENSSL_NO_HEARTBEATS
case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
- if (SSL_
version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER
)
+ if (SSL_
IS_DTLS(s)
)
ret = dtls1_heartbeat(s);
else
ret = tls1_heartbeat(s);
ret = dtls1_heartbeat(s);
else
ret = tls1_heartbeat(s);
@@
-3407,6
+3424,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
else
return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
else
return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
+#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_CURVES:
{
unsigned char *clist;
case SSL_CTRL_GET_CURVES:
{
unsigned char *clist;
@@
-3448,8
+3466,8
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg;
case SSL_CTRL_SET_ECDH_AUTO:
s->cert->ecdh_tmp_auto = larg;
-
break
;
-
+
return 1
;
+#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
@@
-3493,7
+3511,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
- if (
TLS1_get_version(s) >= TLS1_2_VERSION
)
+ if (
SSL_USE_SIGALGS(s)
)
{
if (s->session && s->session->sess_cert)
{
{
if (s->session && s->session->sess_cert)
{
@@
-3520,9
+3538,11
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY *ptmp;
int rv = 0;
sc = s->session->sess_cert;
EVP_PKEY *ptmp;
int rv = 0;
sc = s->session->sess_cert;
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
&& !sc->peer_ecdh_tmp)
return 0;
if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp
&& !sc->peer_ecdh_tmp)
return 0;
+#endif
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
@@
-3547,7
+3567,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
EVP_PKEY_free(ptmp);
return 0;
}
EVP_PKEY_free(ptmp);
return 0;
}
-
+#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
SSL_SESSION *sess = s->session;
@@
-3557,7
+3577,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
*pformat = sess->tlsext_ecpointformatlist;
return (int)sess->tlsext_ecpointformatlist_length;
}
*pformat = sess->tlsext_ecpointformatlist;
return (int)sess->tlsext_ecpointformatlist_length;
}
-
+#endif
default:
break;
}
default:
break;
}
@@
-3827,6
+3847,7
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
break;
#endif
break;
#endif
+#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
@@
-3838,8
+3859,8
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
parg);
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
parg);
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
-
break
;
-
+
return 1
;
+#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@@
-3864,10
+3885,6
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
- case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG:
- ctx->tlsext_authz_server_audit_proof_cb_arg = parg;
- break;
-
#endif /* !OPENSSL_NO_TLSEXT */
/* A Thawte special :-) */
#endif /* !OPENSSL_NO_TLSEXT */
/* A Thawte special :-) */
@@
-3977,12
+3994,6
@@
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
break;
#endif
ctx->srp_ctx.SRP_give_srp_client_pwd_callback=(char *(*)(SSL *,void *))fp;
break;
#endif
-
- case SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB:
- ctx->tlsext_authz_server_audit_proof_cb =
- (int (*)(SSL *, void *))fp;
- break;
-
#endif
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
#endif
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
@@
-4080,9
+4091,9
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
{
c=sk_SSL_CIPHER_value(prio,i);
{
c=sk_SSL_CIPHER_value(prio,i);
- /* Skip TLS v1.2 only ciphersuites if
lower than v1.2
*/
+ /* Skip TLS v1.2 only ciphersuites if
not supported
*/
if ((c->algorithm_ssl & SSL_TLSV1_2) &&
if ((c->algorithm_ssl & SSL_TLSV1_2) &&
-
(TLS1_get_version(s) < TLS1_2_VERSION
))
+
!SSL_USE_TLS1_2_CIPHERS(s
))
continue;
ssl_set_cert_masks(cert,c);
continue;
ssl_set_cert_masks(cert,c);
@@
-4145,6
+4156,13
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ii=sk_SSL_CIPHER_find(allow,c);
if (ii >= 0)
{
ii=sk_SSL_CIPHER_find(allow,c);
if (ii >= 0)
{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+ if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+ {
+ if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+ continue;
+ }
+#endif
ret=sk_SSL_CIPHER_value(allow,ii);
break;
}
ret=sk_SSL_CIPHER_value(allow,ii);
break;
}
@@
-4157,7
+4175,10
@@
int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
int ret=0;
const unsigned char *sig;
size_t i, siglen;
int ret=0;
const unsigned char *sig;
size_t i, siglen;
- int have_rsa_sign = 0, have_dsa_sign = 0, have_ecdsa_sign = 0;
+ int have_rsa_sign = 0, have_dsa_sign = 0;
+#ifndef OPENSSL_NO_ECDSA
+ int have_ecdsa_sign = 0;
+#endif
int nostrict = 1;
unsigned long alg_k;
int nostrict = 1;
unsigned long alg_k;
@@
-4182,10
+4203,11
@@
int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
case TLSEXT_signature_dsa:
have_dsa_sign = 1;
break;
case TLSEXT_signature_dsa:
have_dsa_sign = 1;
break;
-
+#ifndef OPENSSL_NO_ECDSA
case TLSEXT_signature_ecdsa:
have_ecdsa_sign = 1;
break;
case TLSEXT_signature_ecdsa:
have_ecdsa_sign = 1;
break;
+#endif
}
}
}
}
@@
-4458,14
+4480,14
@@
need to go to SSL_ST_ACCEPT.
}
return(ret);
}
}
return(ret);
}
-/* If we are using
TLS v1.2 or later and default SHA1+MD5 algorithms switch
- *
to new SHA256 PRF and handshake macs
+/* If we are using
default SHA1+MD5 algorithms switch to new SHA256 PRF
+ *
and handshake macs if required.
*/
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
*/
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
- if (
TLS1_get_version(s) >= TLS1_2_VERSION &&
- alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
+ if (
s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF
+
&&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
}
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
}