(len < 2))
return(NULL);
+ p=buf;
+ sk=s->session->ciphers;
+
if (sk_SSL_CIPHER_num(sk) == 0)
return NULL;
- p=buf;
- sk=s->session->ciphers;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
int n;
int i,j=0;
SSL_CIPHER *c;
unsigned char *q;
- int no_scsv = s->renegotiate;
+ int empty_reneg_info_scsv = !s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
if (sk == NULL) return(0);
q=p;
+ if (put_cb == NULL)
+ put_cb = s->method->put_cipher_by_char;
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
if (c->id == SSL3_CK_SCSV)
{
- if (no_scsv)
+ if (!empty_reneg_info_scsv)
continue;
else
- no_scsv = 1;
+ empty_reneg_info_scsv = 0;
}
#endif
- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
+ j = put_cb(c,p);
p+=j;
}
- /* If p == q, no ciphers and caller indicates an error. Otherwise
- * add SCSV if not renegotiating.
- */
- if (p != q && !no_scsv)
+ /* If p == q, no ciphers; caller indicates an error.
+ * Otherwise, add applicable SCSVs. */
+ if (p != q)
{
- static SSL_CIPHER scsv =
+ if (empty_reneg_info_scsv)
{
- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
- };
- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
- p+=j;
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV sent by client\n");
+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
#endif
+ }
+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+ {
+ static SSL_CIPHER scsv =
+ {
+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ };
+ j = put_cb(&scsv,p);
+ p+=j;
+ }
}
return(p-q);
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
int i,n;
+
if (s->s3)
s->s3->send_connection_binding = 0;
n=ssl_put_cipher_by_char(s,NULL,NULL);
- if ((num%n) != 0)
+ if (n == 0 || (num%n) != 0)
{
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
return(NULL);
for (i=0; i<num; i+=n)
{
- /* Check for SCSV */
+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if (s->s3 && (n != 3 || !p[0]) &&
(p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
(p[n-1] == (SSL3_CK_SCSV & 0xff)))
continue;
}
+ /* Check for TLS_FALLBACK_SCSV */
+ if ((n != 3 || !p[0]) &&
+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
+ {
+ /* The SCSV indicates that the client previously tried a higher version.
+ * Fail if the current version is an unexpected downgrade. */
+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
+ if (s->s3)
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
+ goto err;
+ }
+ continue;
+ }
+
c=ssl_get_cipher_by_char(s,p);
p+=n;
if (c != NULL)
}
# endif
-int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_cli_ext_first_cb_fn fn1,
- custom_cli_ext_second_cb_fn fn2, void* arg)
- {
- size_t i;
- custom_cli_ext_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->custom_cli_ext_records_count; i++)
- if (ext_type == ctx->custom_cli_ext_records[i].ext_type)
- return 0;
-
- ctx->custom_cli_ext_records = OPENSSL_realloc(ctx->custom_cli_ext_records,
- (ctx->custom_cli_ext_records_count + 1) *
- sizeof(custom_cli_ext_record));
- if (!ctx->custom_cli_ext_records) {
- ctx->custom_cli_ext_records_count = 0;
- return 0;
- }
- ctx->custom_cli_ext_records_count++;
- record = &ctx->custom_cli_ext_records[ctx->custom_cli_ext_records_count - 1];
- record->ext_type = ext_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
- return 1;
- }
-
-int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_srv_ext_first_cb_fn fn1,
- custom_srv_ext_second_cb_fn fn2, void* arg)
- {
- size_t i;
- custom_srv_ext_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->custom_srv_ext_records_count; i++)
- if (ext_type == ctx->custom_srv_ext_records[i].ext_type)
- return 0;
-
- ctx->custom_srv_ext_records = OPENSSL_realloc(ctx->custom_srv_ext_records,
- (ctx->custom_srv_ext_records_count + 1) *
- sizeof(custom_srv_ext_record));
- if (!ctx->custom_srv_ext_records) {
- ctx->custom_srv_ext_records_count = 0;
- return 0;
- }
- ctx->custom_srv_ext_records_count++;
- record = &ctx->custom_srv_ext_records[ctx->custom_srv_ext_records_count - 1];
- record->ext_type = ext_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
- return 1;
- }
-
/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
* |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
* length-prefixed strings).
*len = ssl->s3->alpn_selected_len;
}
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
- unsigned short supp_data_type,
- cli_supp_data_first_cb_fn fn1,
- cli_supp_data_second_cb_fn fn2, void* arg)
- {
- size_t i;
- cli_supp_data_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->cli_supp_data_records_count; i++)
- if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
- return 0;
-
- ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
- (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
- if (!ctx->cli_supp_data_records)
- {
- ctx->cli_supp_data_records_count = 0;
- return 0;
- }
- ctx->cli_supp_data_records_count++;
- record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
- record->supp_data_type = supp_data_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
- return 1;
- }
-
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
- unsigned short supp_data_type,
- srv_supp_data_first_cb_fn fn1,
- srv_supp_data_second_cb_fn fn2, void* arg)
- {
- size_t i;
- srv_supp_data_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->srv_supp_data_records_count; i++)
- if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
- return 0;
-
- ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
- (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
- if (!ctx->srv_supp_data_records)
- {
- ctx->srv_supp_data_records_count = 0;
- return 0;
- }
- ctx->srv_supp_data_records_count++;
- record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
- record->supp_data_type = supp_data_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
-
- return 1;
- }
-
#endif /* !OPENSSL_NO_TLSEXT */
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
#ifndef OPENSSL_NO_SRP
SSL_CTX_SRP_CTX_init(ret);
#endif
- ret->custom_cli_ext_records = NULL;
- ret->custom_cli_ext_records_count = 0;
- ret->custom_srv_ext_records = NULL;
- ret->custom_srv_ext_records_count = 0;
- ret->cli_supp_data_records = NULL;
- ret->cli_supp_data_records_count = 0;
- ret->srv_supp_data_records = NULL;
- ret->srv_supp_data_records_count = 0;
#ifndef OPENSSL_NO_BUF_FREELISTS
ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
#ifndef OPENSSL_NO_SRP
SSL_CTX_SRP_CTX_free(a);
#endif
-#ifndef OPENSSL_NO_TLSEXT
- OPENSSL_free(a->custom_cli_ext_records);
- OPENSSL_free(a->custom_srv_ext_records);
- OPENSSL_free(a->cli_supp_data_records);
- OPENSSL_free(a->srv_supp_data_records);
-#endif
#ifndef OPENSSL_NO_ENGINE
if (a->client_cert_engine)
ENGINE_finish(a->client_cert_engine);
return ctx->cert->sec_ex;
}
-
#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
#include "../crypto/bio/bss_file.c"
#endif
projects / openssl.git / blobdiff