X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=c336a85aa31df0dfb8195cbf38be2aeb96e2235f;hp=9f4040d7015fcdc4dd7be1295fc90dbcdd0a4c37;hb=62f45cc27d07187b59551e4fad3db4e52ea73f2c;hpb=b948ee27b0206a392bfd7340779b29ed9375e197 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9f4040d701..c336a85aa3 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1491,12 +1491,14 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, int i,j=0; SSL_CIPHER *c; unsigned char *q; - int no_scsv = s->renegotiate; + int empty_reneg_info_scsv = !s->renegotiate; /* Set disabled masks for this session */ ssl_set_client_disabled(s); if (sk == NULL) return(0); q=p; + if (put_cb == NULL) + put_cb = s->method->put_cipher_by_char; for (i=0; iid == SSL3_CK_SCSV) { - if (no_scsv) + if (!empty_reneg_info_scsv) continue; else - no_scsv = 1; + empty_reneg_info_scsv = 0; } #endif - j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); + j = put_cb(c,p); p+=j; } - /* If p == q, no ciphers and caller indicates an error. Otherwise - * add SCSV if not renegotiating. - */ - if (p != q && !no_scsv) + /* If p == q, no ciphers; caller indicates an error. + * Otherwise, add applicable SCSVs. */ + if (p != q) { - static SSL_CIPHER scsv = + if (empty_reneg_info_scsv) { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 - }; - j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); - p+=j; + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + j = put_cb(&scsv,p); + p+=j; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV sent by client\n"); + fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); #endif + } + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) + { + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + j = put_cb(&scsv,p); + p+=j; + } } return(p-q); @@ -1541,11 +1554,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i,n; + if (s->s3) s->s3->send_connection_binding = 0; n=ssl_put_cipher_by_char(s,NULL,NULL); - if ((num%n) != 0) + if (n == 0 || (num%n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return(NULL); @@ -1570,7 +1584,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, for (i=0; is3 && (n != 3 || !p[0]) && (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n-1] == (SSL3_CK_SCSV & 0xff))) @@ -1590,6 +1604,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, continue; } + /* Check for TLS_FALLBACK_SCSV */ + if ((n != 3 || !p[0]) && + (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) + { + /* The SCSV indicates that the client previously tried a higher version. + * Fail if the current version is an unexpected downgrade. */ + if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); + if (s->s3) + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + c=ssl_get_cipher_by_char(s,p); p+=n; if (c != NULL) @@ -1751,62 +1782,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned } # endif -int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type, - custom_cli_ext_first_cb_fn fn1, - custom_cli_ext_second_cb_fn fn2, void* arg) - { - size_t i; - custom_cli_ext_record* record; - - /* Check for duplicates */ - for (i=0; i < ctx->custom_cli_ext_records_count; i++) - if (ext_type == ctx->custom_cli_ext_records[i].ext_type) - return 0; - - ctx->custom_cli_ext_records = OPENSSL_realloc(ctx->custom_cli_ext_records, - (ctx->custom_cli_ext_records_count + 1) * - sizeof(custom_cli_ext_record)); - if (!ctx->custom_cli_ext_records) { - ctx->custom_cli_ext_records_count = 0; - return 0; - } - ctx->custom_cli_ext_records_count++; - record = &ctx->custom_cli_ext_records[ctx->custom_cli_ext_records_count - 1]; - record->ext_type = ext_type; - record->fn1 = fn1; - record->fn2 = fn2; - record->arg = arg; - return 1; - } - -int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type, - custom_srv_ext_first_cb_fn fn1, - custom_srv_ext_second_cb_fn fn2, void* arg) - { - size_t i; - custom_srv_ext_record* record; - - /* Check for duplicates */ - for (i=0; i < ctx->custom_srv_ext_records_count; i++) - if (ext_type == ctx->custom_srv_ext_records[i].ext_type) - return 0; - - ctx->custom_srv_ext_records = OPENSSL_realloc(ctx->custom_srv_ext_records, - (ctx->custom_srv_ext_records_count + 1) * - sizeof(custom_srv_ext_record)); - if (!ctx->custom_srv_ext_records) { - ctx->custom_srv_ext_records_count = 0; - return 0; - } - ctx->custom_srv_ext_records_count++; - record = &ctx->custom_srv_ext_records[ctx->custom_srv_ext_records_count - 1]; - record->ext_type = ext_type; - record->fn1 = fn1; - record->fn2 = fn2; - record->arg = arg; - return 1; - } - /* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|. * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit * length-prefixed strings). @@ -2078,10 +2053,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) #ifndef OPENSSL_NO_SRP SSL_CTX_SRP_CTX_init(ret); #endif - ret->custom_cli_ext_records = NULL; - ret->custom_cli_ext_records_count = 0; - ret->custom_srv_ext_records = NULL; - ret->custom_srv_ext_records_count = 0; #ifndef OPENSSL_NO_BUF_FREELISTS ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); @@ -2220,10 +2191,6 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_SRP SSL_CTX_SRP_CTX_free(a); #endif -#ifndef OPENSSL_NO_TLSEXT - OPENSSL_free(a->custom_cli_ext_records); - OPENSSL_free(a->custom_srv_ext_records); -#endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) ENGINE_finish(a->client_cert_engine); @@ -3639,7 +3606,6 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) return ctx->cert->sec_ex; } - #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) #include "../crypto/bio/bss_file.c" #endif